b'Review of the SEC\xe2\x80\x99s Systems\nCertification and Accreditation\nProcess\n\n\n\n\n                                       March 27, 2013\n                                       Report No. 515\n\n             REDACTED PUBLIC VERSION\n\x0cReview of the SEC\xe2\x80\x99s Systems C&A Process             March 27, 2013\nReport No. 515\n                                          Page i\n\n                          REDACTED PUBLIC VERSION\n\x0cShould you have any questions regarding this report, please do not hesitate to\ncontact me. We appreciate the courtesy and cooperation that you and your staff\nextended to our auditor and contractors during this audit.\n\nAttachment\n\ncc:    Elisse B. Walter, Chairman\n       Erica Y. Williams, Deputy Chief of Staff, Office of the Chairman\n       Luis A. Aguilar, Commissioner\n       Troy A. Paredes, Commissioner\n       Daniel Gallagher, Commissioner\n       Jeff Heslop, Chief Operating Officer, Office of the Chief Operating Officer\n       Pamela C. Dyson, Deputy Director/Deputy CIO, Office of Information\n         Technology\n       Todd K. Scharf, Associate Director, Chief Information Security Officer,\n         Office of Information Technology\n\n\n\n\nReview of the SEC\xe2\x80\x99s Systems C&A Process                               March 27, 2013\nReport No. 515\n                                          Page ii\n\n                          REDACTED PUBLIC VERSION\n\x0c      Review of the SEC\xe2\x80\x99s Systems Certification\n             and Accreditation Process\n\n                                Executive Summary\nThe U.S. Securities and Exchange Commission (SEC or Commission) Office of\nInspector General (OIG) contracted the services of Networking Institute of\nTechnology, Inc. (NIT) to assess the certification and accreditation (C&A) process\nthe Office of Information Technology (OIT) and information system owners use to\ntest their systems and determine compliance with governing SEC policies and\nprocedures, industry best practices, and applicable government laws, directives,\nregulations, and publications such as the Office of Management and Budget\nCircular A-130, Management of Federal Information Resources, November 28,\n2000 (OMB A-130), 1 including Appendix III, Security of Federal Automated\nInformation Resources. OMB\xe2\x80\x99s circulars provide guidance that can be used to\nensure information systems are protected throughout the lifecycle process. The\nlifecycle process for an information system consists of phases covering planning,\nanalysis, design, implementation, and retirement.\n\nOIT supports the SEC\xe2\x80\x99s functions in all aspects of information technology (IT), to\ninclude IT security and conducting C&As. The Chief Information Officer (CIO),\nwho is responsible for developing and maintaining an agency-wide information\nsecurity program, heads OIT. The Chief Information Security Officer (CISO)\ncarries out the CIO\xe2\x80\x99s information security responsibilities under federal law. OIT\nhas developed C&A packages for the SEC\xe2\x80\x99s information systems that provide\nrelevant information on the security state of systems. OIT conducts system-level\nrisk assessments for the SEC\xe2\x80\x99s information systems and plans of action and\nmilestones are developed to mitigate identified risks. In addition, as part of its\ncontinuous monitoring process, OIT conducts penetration testing and\nvulnerability scanning on a regular basis.\n\nThe C&A process is required by the Federal Information Security Management\nAct (FISMA). 2 The traditional C&A approach requires C&A\xe2\x80\x99s be performed on all\ninformation systems. A C&A stays in force for three years, unless significant\nchanges are made to the system or the operating environment. The C&A\nprocess consists of \xe2\x80\x9c[a] comprehensive assessment of the management,\noperational, and technical security controls in an information system, made in\nsupport of security accreditation, to determine the extent to which the controls\n\n\n1\n    OMB Circular No. A-130 Revised, Management of Federal Information Resources (November 28, 2000).\n2\n    Title II, Pub. L, No. 107-347 (December 17, 2002), \xc2\xa73545.\nReview of the SEC\xe2\x80\x99s Systems C&A Process                                               March 27, 2013\nReport No. 515\n                                               Page iii\n\n                                REDACTED PUBLIC VERSION\n\x0care implemented correctly, operating as intended, and producing the desired\noutcome with respect to meeting the security requirements for the system.\xe2\x80\x9d 3\n\nA security testing and evaluation (ST&E) is essential to the C&A process. A\nST&E is used to determine a system\xe2\x80\x99s compliance with defined security\nrequirements where the correctness and effectiveness of the security controls\nimplementing the security requirements are tested. Organizations use the ST&E\nto document security controls that are effective, ineffective, or have not been fully\nimplemented.\n\nObjectives. NIT\xe2\x80\x99s overall objective was to conduct a review of the SEC\xe2\x80\x99s\nsystems C&A process and determine if there are areas that need strengthening.\nOur specific review objectives included:\n\n    \xe2\x80\xa2   Reviewing OIT\xe2\x80\x99s C&A process to ensure it is based on the six-step\n        Risk Management Framework criteria identified in National Institute\n        of Standards and Technology (NIST) SP 800-37, Rev. 1.\n    \xe2\x80\xa2   Conducting a system assessment and determining if the SEC has\n        appropriately certified and accredited all its systems in accordance\n        with industry best practices and guidelines.\n    \xe2\x80\xa2   Determining whether the C&A process for critical applications is\n        effective in identifying and mitigating risks in a timely manner.\n    \xe2\x80\xa2   Conducting an assessment to determine the adequacy of OIT\xe2\x80\x99s\n        internal controls and compliance with internal information security\n        policies and procedures and industry best practices, standards, and\n        guidelines.\n\nResults. OIT\xe2\x80\x99s documentation to support evaluating some systems security\ncontrols needs improvement. Specifically, OIT\xe2\x80\x99s evaluation of security controls\nfor some SEC information systems needs to be better documented. We\ndetermined some elements used to conduct the assessments were not clearly\nidentified. The review found that contractors did not provide enough evidence\nwithin the ST&E to demonstrate they had examined documentation, conducted\ninterviews and tested the security controls for the ST&E evaluation.\nConsequently, it was determined the ST&E needed support to demonstrate the\nassessor\xe2\x80\x99s method for examining, interviewing, and testing security controls. The\nreview further found a ST&E was not done for a contractor system and OIT does\nnot require ST&Es are conducted for contractor systems.\n\nThe review also found that OIT\xe2\x80\x99s evaluation of some security controls should\nhave been better documented. Specifically, all elements used to conduct the\nassessments should have been clearly identified. Without having sufficient\n3\n NIST SP 800-18, Rev. 1, Guide for Developing Security Plans for Federal Information Systems (February\n2006), pp. 31-32, Appendix B, Glossary.\nReview of the SEC\xe2\x80\x99s Systems C&A Process                                                March 27, 2013\nReport No. 515\n                                               Page iv\n\n                               REDACTED PUBLIC VERSION\n\x0cdocumentation in the ST&E, OIT cannot validate that security controls are\nfunctioning as intended. We determined OIT should improve how it evaluated\nthe SEC system\xe2\x80\x99s security controls.\n\nFurther, the review found the designated approving authority (DAA) did not\nreview and verify the terms and conditions set forth in the system authorization\non an annual basis, as described in the authorization to operate letter. Also, the\nDAA reviewed and verified the terms and conditions of the SEC\xe2\x80\x99s security\ncontrols on a three-year cycle, rather than on a continuous basis. Because\nsecurity controls are not reviewed and a security status report is not developed at\nleast annually, SEC\xe2\x80\x99s systems are operating at an elevated risk of exploitation\nlevel to its information systems.\n\nThe review of personally identifiable information (PII) is not consistently\ndocumented in some C&A packages. Moreover, PII related to some systems\nwas inconsistent with the C&A documentation that was reviewed. As a result, PII\nis potentially not being properly protected.\n\nAdditionally, the SEC\xe2\x80\x99s information system owners did not fully understand their\nroles and responsibilities in the C&A process. As a result, they approved C&A\npackages without having any technical knowledge. We also found that system\nowners did not receive any formal role-based IT security training or guidance\nbased on their roles and responsibilities as system owner. As a result, they are\napproving C&A packages without having technical knowledge. This could\npotentially result in data not being properly protected.\n\nFinally, the DAA has not taken role-based training and is responsible for\nproviding advice and assistance to senior management regarding SEC\xe2\x80\x99s\nsystems; developing, maintaining, and facilitating the implementation of a sound\ninformation security program; and promoting the effective and efficient design\nand operation of all major information resources management processes.\nHaving role-based training would enhance the DAA\xe2\x80\x99s understanding of federal IT\nsecurity standards.\n\nSummary of Recommendations. This report contains seven recommendations\nthat were developed to strengthen the SEC\xe2\x80\x99s systems certification and\naccreditation process. Our most significant recommendations were that OIT\nimplement a centralized repository for managing C&A activities including the\nsecurity test and evaluation process, determine if the Commission has C&A files\nstored on its contractor\xe2\x80\x99s off-site servers, and require future contractors maintain\nCommission files only on SEC servers.\n\nWe further recommended OIT develop and provide security status reports to the\ndesignated approving authority annually as specified in the authorization to\noperate memorandums, work with system owners and the SEC privacy office to\nReview of the SEC\xe2\x80\x99s Systems C&A Process                               March 27, 2013\nReport No. 515\n                                          Page v\n\n                          REDACTED PUBLIC VERSION\n\x0creview all Commission\xe2\x80\x99s systems and conduct privacy analysis worksheets to\ndetermine if they contain PII.\n\nFinally, we recommended OIT develop a formal C&A briefing for information\nsystems and present it to the system owners for review; provide direction to staff\nproperly evaluating security controls; identify the portion of the hybrid controls\nthat are inherited by the general support system and the portion that is covered\nby system-specific controls; and include a list of common controls that is\ninherited from the general support system, in accordance with approved system\nsecurity plan templates.\n\nManagement\xe2\x80\x99s Response to the Report\xe2\x80\x99s Recommendations. OIG provided\nSEC management with the formal draft report on March 14, 2013. SEC\nmanagement concurred with all recommendations in this report. OIG considers\nthe report recommendations resolved. However, the recommendations will\nremain open until documentation is provided to OIG that supports each\nrecommendation has been fully implemented.\n\nSEC management\xe2\x80\x99s response to each recommendation and OIG\xe2\x80\x99s analysis of\ntheir responses are presented after each recommendation in the body of this\nreport.\n\nThe full version of this report includes information that the SEC considers to be\nsensitive or proprietary. To create this public version of the report, OIG redacted\n(blacked out) potentially sensitive, proprietary information from the report.\n\n\n\n\nReview of the SEC\xe2\x80\x99s Systems C&A Process                               March 27, 2013\nReport No. 515\n                                          Page vi\n\n                          REDACTED PUBLIC VERSION\n\x0cTABLE OF CONTENTS\nExecutive Summary ......................................................................................................iii\n\nTable of Contents ........................................................................................................vii\n\nBackground and Objectives .................................................................................. 1\n     Background ....................................................................................................... 1\n     Objectives .......................................................................................................... 4\n\nFindings and Recommendations .......................................................................... 5\n     Finding 1: OIT\xe2\x80\x99s Documentation to Support Evaluation Security Controls\n     for SEC\xe2\x80\x99s Information Systems Could be Improved ........................................... 5\n                   Recommendation 1..................................................................... 16\n                   Recommendation 2..................................................................... 16\n\n         Finding 2: OIT Did Not Develop Security Status Reports for SEC\xe2\x80\x99s\n         Systems the DAA Could Review ...................................................................... 17\n                      Recommendation 3..................................................................... 18\n\n         Finding 3: PII is Inconsistently Documented in Some C&A Packages ............. 19\n                       Recommendation 4..................................................................... 22\n\n         Finding 4: SEC Information System Owners Did Not Fully Understand\n         Their Roles and Responsibilities in the C&A Process ...................................... 23\n                      Recommendation 5..................................................................... 25\n\n         Finding 5: DAA Has Not Had Formal Role-Based IT Security Training ............ 25\n\n         Finding 6: OIT Did Not Identify the Portion of Hybrid Controls GSS\n         Inherited and the Portion Covered by System-Specific Controls ...................... 27\n                       Recommendation 6..................................................................... 33\n                       Recommendation 7..................................................................... 33\n\nAppendices\n    Appendix I: Abbreviations................................................................................ 34\n    Appendix II: Definitions ................................................................................... 35\n    Appendix III: Scope and Methodology ............................................................. 36\n    Appendix IV: Criteria ........................................................................................ 39\n    Appendix V: List of Recommendations ........................................................... 41\n    Appendix VI: Management Comments............................................................ 43\n\n\n\nReview of the SEC\xe2\x80\x99s Systems C&A Process                                                           March 27, 2013\nReport No. 515\n                                                     Page vii\n\n                                   REDACTED PUBLIC VERSION\n\x0cTables\n     Table1: Evaluation of AC-2.1 for NIT\xe2\x80\x99s Sample System Universe ..................... 7\n     Table 2: CA-2.2. Detail for the Systems NIT Evaluated .................................. 10\n     Table 3: Evidence and Artifacts for CA-7.1 for the Systems NIT Evaluated .... 13\n     Table 4: NIT\xe2\x80\x99s Privacy Analysis                                             ............................. 21\n     Table 5: Identification of Hybrid and System-Specific Controls for CA-7.1\n     for the Systems Evaluated ............................................................................... 30\n\nFigures\n\n        Figure 1: Risk Management Framework Process .............................................. 4\n\n\n\n\nReview of the SEC\xe2\x80\x99s Systems C&A Process                                                  March 27, 2013\nReport No. 515\n                                               Page viii\n\n                               REDACTED PUBLIC VERSION\n\x0c                      Background and Objectives\n\n\nBackground\nThe U.S. Securities and Exchange Commission (SEC or Commission) Office of\nInspector General (OIG) contracted the services of Networking Institute of\nTechnology, Inc. (NIT) to assess the certification and accreditation (C&A) process\nthe Office of Information Technology (OIT) and information system owners use to\ntest their systems and determine compliance with governing SEC policies and\nprocedures, industry best practices, and applicable government laws, directives,\nregulations, and publications such as the Office of Management and Budget\nCircular A-130, Management of Federal Information Resources, November 28,\n2000 (OMB A-130), including Appendix III, Security of Federal Automated\nInformation Resources. 4\n\nOMB A-130 establishes policy for managing federal information resources and it\nincludes procedural and analytic guidelines for implementing specific aspects of\nthese policies in its appendices. Specifically, Appendix III, establishes a\nminimum set of controls to be included in federal automated information security\nprograms; assigns federal agency responsibilities for the security of automated\ninformation; and links agency\xe2\x80\x99s automated information security programs and\nmanagement control systems in accordance with OMB Circular A-123,\nManagement\xe2\x80\x99s Responsibility for Internal Controls, December 21, 2004, which\nfurther defines management\'s responsibility for internal control in federal\nagencies. These circulars also provide guidance that can be used to ensure\ninformation systems are protected throughout the lifecycle process. The lifecycle\nprocess for an information system consists of phases covering planning,\nanalysis, design, implementation, and retirement.\n\nThe Office of Information Technology\nOIT supports the SEC\xe2\x80\x99s functions in all aspects of information technology (IT), to\ninclude IT security and conducting C&As. OIT is comprised of four branches and\nis led by the Chief Information Officer (CIO), who is responsible for developing\nand maintaining an agency-wide information security program. The Chief\nInformation Security Officer (CISO) carries out the CIO\xe2\x80\x99s information security\nresponsibilities under federal law. One of the CISO\xe2\x80\x99s primary duties includes the\nperformance of information security. 5\n\n4\n    OMB Circular No. A-130 Revised, Management of Federal Information Resources (November 28, 2000).\n5\n    OIT Security Policy Framework Handbook, No. CIO-PD-08-06 (August 7, 2012), pp. 7-8, Responsibilities.\nReview of the SEC\xe2\x80\x99s Systems C&A Process                                                   March 27, 2013\nReport No. 515\n                                                  Page 1\n\n                                 REDACTED PUBLIC VERSION\n\x0cOIT has developed C&A packages for the SEC\xe2\x80\x99s information systems that\nprovide relevant information on the security state of the systems. Further, OIT\nconducts Federal Information Processing Standards (FIPS) 199 analysis to\ndetermine the categorization of each system and the security control selection is\nbased on the system categorization level. In addition, system security plans\n(SSP) have been developed for each system and the SSPs are approved by a\nsenior OIT official. Control implementation is documented in the SSP, to include\na functional description of the control implementation. A system level risk\nassessment is conducted for each system and a plan of action and milestones\n(POA&M) are developed to mitigate the risks. Finally, as part of its continuous\nmonitoring process, OIT conducts penetration testing and vulnerability scanning\non a regular basis.\n\nST&E and Certification and Accreditation\nA security testing and evaluation (ST&E) is essential to the C&A process. A\nST&E is used to determine a system\xe2\x80\x99s compliance with defined security\nrequirements where the correctness and effectiveness of the security controls\nimplementing the security requirements are tested. Organizations use the ST&E\nto document security controls that are effective, ineffective, or have not been fully\nimplemented. Ineffective security controls and controls that have not been fully\nimplemented are documented in a risk assessment. The risk assessment\ndefines the residual risk 6 for a system prior to mitigation and after appropriate risk\nmitigation has occurred.\n\nOIT\xe2\x80\x99s designated approving authority (DAA) determines the acceptable level of\nrisk based on the SEC\xe2\x80\x99s requirements, while using the risk assessment and\ncertification package to issue an authorization to operate, or no accreditation of\nthe system. The DAA is an organizational official who acts on behalf of an\nauthorizing official to carry out and coordinate required activities associated with\nsecurity authorization. 7 OIT\xe2\x80\x99s CIO is the SEC\xe2\x80\x99s designated DAA. The DAA\xe2\x80\x99s\nprimary responsibilities include reviewing the SEC\xe2\x80\x99s security risks and making a\nfinal decision whether to authorize operations, delay operation to allow mitigation\nof risks prior to authorizing, or deny operation based on risk findings of the SEC\xe2\x80\x99s\ninformation systems.\n\nThe C&A process is required by the Federal Information Security Management\nAct (FISMA). 8 The traditional C&A approach requires that C&As be performed\non all information systems. A C&A stays in force for three years, unless\nsignificant changes are made to the system or the operating environment. The\n\n6\n  The remaining potential risk after all IT security measures are applied.\n7\n  NIST SP 800-37, Rev. 1, Guide for Applying the Risk Management Framework to Federal Information\nSystems: A Security Life Cycle Approach, (February 2010), p. B-2, Glossary.\n8\n  Title II, Pub. L, No. 107-347 (December 17, 2002), \xc2\xa73545.\nReview of the SEC\xe2\x80\x99s Systems C&A Process                                              March 27, 2013\nReport No. 515\n                                              Page 2\n\n                              REDACTED PUBLIC VERSION\n\x0ctraditional C&A approach has transformed into a more robust approach that is\nrelated to managing security-related risks and is based on the six-step risk\nmanagement framework (RMF) criteria that is identified in the National Institute of\nStandards and Technology (NIST) Special Publication (SP) 800-37, Revision 1,\nGuide for Applying the Risk Management Framework to Federal Information\nSystems: A Security Life Cycle Approach (NIST SP 800-37, Rev. 1). 9\n\nThe C&A process consists of \xe2\x80\x9c[a] comprehensive assessment of the\nmanagement, operational, and technical security controls in an information\nsystem, made in support of security accreditation, to determine the extent to\nwhich the controls are implemented correctly, operating as intended, and\nproducing the desired outcome with respect to meeting the security requirements\nfor the system.\xe2\x80\x9d 10 Based on the results of the assessment, a senior agency\nofficial authorizes an information system to operate and explicitly accepts the risk\nto agency operations. This process emphasizes: \xe2\x80\x9c(i) building information security\ncapabilities into federal information systems through the application of state-of-\nthe-practice management, operational, and technical security controls; (ii)\nmaintaining awareness of the security state of information systems on an\nongoing basis though enhanced monitoring processes; and (iii) providing\nessential information to senior leaders to facilitate decisions regarding the\nacceptance of risk to organizational operations and assets, individuals, other\norganizations, and the Nation arising from the operation and use of information\nsystems.\xe2\x80\x9d 11\n\nIn accordance with SEC policy, OIT is responsible for overseeing the C&A team\nand ensuring security controls have been properly assessed using the\nassessment methods and procedures described in NIST publications and in\naccordance with industry best practices, and to ensure an accreditation package\nis prepared and maintained for each system. 12 We reviewed OIT\xe2\x80\x99s C&A process\nbased on the RMF criteria identified in NIST SP 800-37, Rev. 1. Figure 1 below\nillustrates the RMF process. 13\n\n\n\n\n9\n  NIST SP 800-37, Rev. 1, p. 1, Section 1.1.\n10\n   NIST SP 800-18, Rev. 1, Guide for Developing Security Plans for Federal Information Systems (February\n2006), pp. 31-32, Appendix B, Glossary.\n11\n   NIST SP 800-37, Rev. 1, pp. 1-2, Section 1.1.\n12\n   Implementing Instruction, IT Security Certification and Accreditation, Policy No. 24-04-10-01 (June 29,\n2005), pp. 6-8, Section 6, Roles and Responsibilities.\n13\n   NIST SP 800-37, Rev. 1, p. 8, Figure 2-2.\nReview of the SEC\xe2\x80\x99s Systems C&A Process                                                  March 27, 2013\nReport No. 515\n                                                Page 3\n\n                                REDACTED PUBLIC VERSION\n\x0c  Figure 1: Risk Management Framework Process\n\n\n              Architecture Description            PROCESS         Organizational Inputs\n               Archttecture Reference Mooels      OVERVIEW    Laws, Directives, Policy Guidance\n            Segment and Solution Architectures                  Strategic Goals and Objectives\n             Mission and Business Processes        Starting   Priorities and Resource Availability\n              lnfonnation System Boundaries         Point        Supply Chain Considerations\n\n\n                   Repeat as necessary\n\n                          +\n                                                    RISK\n                                                 MANAGEMENT\n                                                 FRAMEWORK\n\n\n\n\n   Source: N IST SP 800-37, Rev. 1.\n\n\nObjectives\nObjectives. NIT\'s overall objective was to conduct a review of the SEC\'s\nsystems C&A process and determine if there are areas that need strengthening.\nOur specific review objectives included:\n\n   \xe2\x80\xa2 \t Reviewing OIT\'s C&A process to ensure it is based on the six-step\n       RMF criteria identified in NIST SP 800-37, Rev. 1.\n   \xe2\x80\xa2 \t Conducting a system assessment and determining if the SEC has\n       appropriately certified and accredited all its systems in accordance\n       with industry best practices and guidelines.\n   \xe2\x80\xa2 \t Determining whether the C&A process for critical applications is \n\n       effective in identifying and mitigating risks in a timely manner. \n\n   \xe2\x80\xa2 \t Conducting an assessment to determine the adequacy of OIT\'s\n       internal controls and compliance with internal information security\n       policies and procedures and industry best practices, standards, and\n       guidelines.\n\n\nReview of the SEC\'s Systems C&A Process                                                      March 27, 2013\nReport No. 515\n                                                   Page 4\n\n                                    REDACTED PUBLIC VERSION\n\x0c                 Findings and Recommendations\n\nFinding 1: OIT\xe2\x80\x99s Documentation to Support\nEvaluation Security Control for SEC\xe2\x80\x99s Information\nSystems Could be Improved\n           OIT\xe2\x80\x99s evaluation of some security controls for the SEC\xe2\x80\x99s\n           information systems should be better documented.\n           Specifically, all elements that were used to conduct its\n           security control assessments were not clearly identified.\n\nNIST SP 800-53A, Rev. 1 provides guidance for assessing security controls\nwithin an effective risk management framework. The results of the assessment\nprovide management with evidence about the effectiveness of the organization\xe2\x80\x99s\nsecurity posture for its information systems. These controls consist of, but are\nnot limited to: access control, awareness and training, audit and accountability,\nsecurity assessment and authorization, configuration management, contingency\nplanning, identification and authentication, incident response, maintenance,\nmedia protection, physical and environmental protection, planning, personnel\nsecurity, risk assessment, system and services acquisition, system and\ncommunications protection, system and information integrity, and program\nmanagement. 14\n\nWe used the aforementioned controls to evaluate and assess OIT\xe2\x80\x99s security\nposture by testing a judgmental sample of 15 percent (11 of 59) of the SEC\xe2\x80\x99s\ninformation systems. Our testing consisted of reviewing the C&A packages for\n11 information systems the SEC certified and accredited from January 1, 2010 to\nMarch 31, 2012. The systems in our sample universe consisted of the\n\n\n\n\n               We also assessed the systems to determine if they were\nevaluated in accordance with industry best practices and guidelines. Further, we\nreviewed the ST&E for each system to determine if OIT examined, interviewed\nand tested security controls, provided detail for each security control evaluated,\n\n14\n     NIST SP 800-53A, Rev. 1, Appendix F.\nReview of the SEC\xe2\x80\x99s Systems C&A Process                                March 27, 2013\nReport No. 515\n                                            Page 5\n\n                                REDACTED PUBLIC VERSION\n\x0cand obtained evidence and artifacts to evaluate the security controls. The ST&E\nsecurity document consisted of assessment criteria and assessment results for\nrequired security controls for information systems. We further conducted a\ndetailed ST&E review based on a judgmental sampling of 12 percent (24 of 200)\nsecurity controls from the ST&E documents.\n\nOur review of the SEC\xe2\x80\x99s 11 systems found a ST&E was not done for a contractor\nsystem. We later learned OIT does not require ST&Es are conducted for\ncontractor systems. OIT examines the ST&Es that are conducted by the\ncontractor. Our review of the 10 remaining systems found that OIT\xe2\x80\x99s evaluation\nof some security controls should have been better documented and all elements\nused to conduct the assessments should have been clearly identified.\n\nNIST Examine, Interview, and Test Requirements\nNIST SP 800-53A, Rev. 1 describes the assessment methods used to conduct a\nsecurity control evaluation as follows:\n\n            Assessment methods define the nature of the assessor actions and\n            include examine, interview, and test. The examine method is the\n            process of reviewing, inspecting, observing, studying, or analyzing\n            one or more assessment objects (i.e., specifications, mechanisms,\n            or activities). The purpose of the examine method is to facilitate\n            assessor understanding, achieve clarification, or obtain evidence.\n            The interview method is the process of holding discussions with\n            individuals or groups of individuals within an organization to once\n            again, facilitate assessor understanding, achieve clarification, or\n            obtain evidence. The test method is the process of exercising one\n            or more assessment objects (i.e., activities or mechanisms) under\n            specified conditions to compare actual with expected behavior. In\n            all three assessment methods, the results are used in making\n            specific determinations called for in the determination statements\n            and thereby achieving the objectives for the assessment\n            procedure. 15\n\nOIT\xe2\x80\x99s contractor provide the office with C&A support in general support systems\n(GSS) and reportable systems, in accordance with NIST SP 800-53A, Rev. 1.\nOur review of ST&E documents for the systems in our sample determined the\ncontractor, in assessing the SEC\xe2\x80\x99s security posture, did not fully apply NIST SP\n800-53A, Rev. 1. Our review of ST&E documents included reviewing OIT\xe2\x80\x99s\nassessment objectives for 24 security controls and their response to those\nobjectives. We found the contractor did not provide sufficient documentation\n\n15\n     Ibid, p. 9, Section 2.4.\nReview of the SEC\xe2\x80\x99s Systems C&A Process                                  March 27, 2013\nReport No. 515\n                                          Page 6\n\n                                REDACTED PUBLIC VERSION\n\x0cwithin the ST&E to demonstrate they had examined system documentation,\nconducted interviews and tested the security controls for the ST&E evaluation.\nWe determined the ST&E lacked sufficient details and evidence to demonstrate\nthe assessor\xe2\x80\x99s method for examining, interviewing, and testing security controls.\n\nThe contractor\xe2\x80\x99s evaluation of security controls relied heavily on penetration\ntesting. However, the contractor did not provide support the assessments were\nconducted in accordance with NIST SP 800-53A, Rev. 1. We determined that\nalthough penetration testing is a good mechanism to use, it does not address all\nthe security controls that are identified in NIST SP 800-53A, Rev. 1 that are\nneeded when conducting a security control assessment. 16 Without having\nsufficient documentation in the ST&E, OIT cannot validate that security controls\nare functioning as intended. For example, for each security control the assessor\ndetermined was satisfied from a prior assessment of the same information\nsystem, the assessor can record the results in the control evaluation, which\nindicates the control is satisfied. However, if the assessor does not\nindependently examine evidence, interview OIT stakeholders, or test the security\ncontrols, the assessment of the system\xe2\x80\x99s security controls is not thorough.\n\nTable 1 illustrates our comparison between the security control outlined in NIST\nSP 800-53A, Rev. 1, AC-2.1, Account Management and the 11 systems in our\nsample universe. 17\n\nTable 1: Evaluation of AC-2.1 for NIT\xe2\x80\x99s Sample System Universe\n     OIT Modified    OIT\xe2\x80\x99s ST&E Response                    System        NIT\xe2\x80\x99s Evaluation Result\nAssessment Objective  for Control AC-2.1.                  Evaluated\n  for Control AC-2.1\nDoes the organization       SEC policy prohibits use of                 No evidence of conducting\nmanage information          temporary or guest                          interviews, examining\nsystem accounts,            accounts, and thus these                    documentation, or testing the\nincluding establishing,     are not used for [name of                   security control.\nactivating, modifying,      system].\nreviewing, disabling, and\nremoving accounts?\n\n\n\n\n16\n   Penetration testing covers risk assessment, system and communications protection, and system and\ninformation integrity but does not address access control, awareness and training, audit and accountability,\nsecurity assessment and authorization, configuration management, contingency planning, identification and\nauthentication, incident response, maintenance, media protection, physical and environmental protection,\nplanning, personnel security, system and services acquisition, and program management. Ibid, Appendix F.\n17\n   Ibid, p. F-5.\n18\n   We reviewed 6 of the 11 information systems in our sample and found the same response for this control.\nReview of the SEC\xe2\x80\x99s Systems C&A Process                                                    March 27, 2013\nReport No. 515\n                                                 Page 7\n\n                                REDACTED PUBLIC VERSION\n\x0c     OIT Modified    OIT\xe2\x80\x99s ST&E Response                     System      NIT\xe2\x80\x99s Evaluation Result\nAssessment Objective  for Control AC-2.1.                   Evaluated\n  for Control AC-2.1\nExamine organizational      See IA-4.1 and AC-2.1.                      No evidence of conducting\nrecords to determine if     The need for                                interviews, examining\nestablishing, activating,   access and for particular                   documentation, or testing the\nmodifying, reviewing,       system roles are                            security control.\ndisabling, and removing     revalidated annually as part\naccounts are being          of the budget preparation\nperformed in accordance     cycle.\nwith documented account     (Partially covered by\nmanagement procedures.      common controls provided\n                                           19\n                            by the GSS)\nDoes the organization       SEC policy prohibits use of                 No evidence of conducting\nmanage information          temporary or guest                          interviews, examining\nsystem accounts,            accounts except for                         documentation, or testing the\nincluding establishing,     security testing, and thus                  security control.\nactivating, modifying,      these are not normally\nreviewing, disabling, and   used for           . Accounts\nremoving accounts?          established for test\n                            purposes (such as the\n                            security testing\n                            accompanying this\n                            certification) are\n                            appropriately authorized.\nN/A                                 is a contractor                     N/A\n                            system, and ST&Es are not\n                            required for contractor\n                            systems.\nDoes the organization              External is                          No evidence of conducting\nmanage information          intentionally designed to                   interviews, examining\nsystem accounts,            allow use without login.                    documentation, or testing the\nincluding establishing,     SEC policy prohibits use of                 security control.\nactivating, modifying,      temporary or guest\nreviewing, disabling, and   accounts, and thus these\nremoving accounts?          will not be used for\n                            Internal.\nDoes the organization       SEC policy prohibits use of                 No evidence of conducting\nmanage information          temporary or guest                          interviews, examining\nsystem accounts,            accounts, except as                         documentation, or testing the\nincluding establishing,     specified in OIT Security                   security control.\nactivating, modifying,      policy during vulnerability\nreviewing, disabling, and   scanning or testing of\nremoving accounts?          applications.\nSource: NIT Generated\n\nOur review found no evidence that the assessors examined or tested system\naccounts even though AC-2.1, Account Management, requires examining and\ntesting according to Appendix F of NIST SP 800-53A, Rev. 1. 20 Overall, while we\ndid not find enough evidence to support the method the assessor used for their\n\n\n19\n   NIST SP 800-53, Rev. 3 states that organizations assign a hybrid status to a security control when one\npart of the control is common and another part is system-specific. NIST SP 800-53, Rev. 3, Recommended\nSecurity Controls for Federal Information Systems and Organizations (August 2009), p. 11.\n20\n   NIST SP 800-53A, Rev. 1, p. F-5.\nReview of the SEC\xe2\x80\x99s Systems C&A Process                                                   March 27, 2013\nReport No. 515\n                                                 Page 8\n\n                                REDACTED PUBLIC VERSION\n\x0ctesting, of these occurrences, we found they properly documented their\nresponses in the ST&E documents for the 11 systems in our sample.\n\nST&E\xe2\x80\x99s Security Control Assessments\n\nAlthough OIT does not prepare security assessment reports, OIT informed us\nthat the results of their security control assessments, which are usually included\nin a security assessment report, were documented in the ST&Es.\nNIST SP 800-37, Rev 1 state:\n\n         The assessment report includes information from the assessor\n         necessary to determine the effectiveness of the security controls\n         employed within or inherited by the information system based upon\n         the assessor\xe2\x80\x99s findings. \xe2\x80\xa6Security control assessment results are\n         documented at a level of detail appropriate for the assessment\xe2\x80\xa6 21\n\nOIT\xe2\x80\x99s policy, IT Security Certification and Accreditation defines the sufficient level\nof detail for the assessment as follows:\n\n         Each SEC major application and general support system shall\n         undergo appropriate technical evaluations to ensure that it meets\n         all Federal and SEC policies, and that all installed security\n         safeguards appear to be adequate and appropriate for the\n         protection requirements of the system. Certification of the system\n         shall be based on the documented results of the formal risk\n         assessment and the Security Test and Evaluation (ST&E), which\n         are based on a specified set of security requirements derived from\n         Federal laws and SEC policies. Certification also may be based\n         on additional forms of evidence, including penetration testing, audit\n         reports, business continuity and disaster recovery plans,\n         monitoring, log reviews, and self-assessments. 22\n\nWhile OIT documents the results of security control assessment in their ST&Es,\nwe found the documented results did not provide enough information that could\nbe used to (1) assess the overall effectiveness of the controls for the 11 systems\nin our sample; and (2) determine if the controls were implemented correctly,\noperate as intended, and produce the desired outcome with respect to meeting\nthe security requirements for each information system. We made this\ndetermination based on the lack of detail that was provided in the ST&Es. The\nST&E results did not have details such as interviews, report references, and\npolicies or procedures that were used to support conclusions. In addition, the\n21\n  NIST SP 800-37, Rev. 1, p. 32, Section 3.4, Task 4.3.\n22\n  OIT\xe2\x80\x99s Implementing Instruction (II), IT Security Certification and Accreditation, Policy No. II 24-04.10.01\n(02.0), (June 29, 2005) p. 3.\nReview of the SEC\xe2\x80\x99s Systems C&A Process                                                       March 27, 2013\nReport No. 515\n                                                   Page 9\n\n                                 REDACTED PUBLIC VERSION\n\x0cresults did not include the sites that were accessed or assessment date, which is\nrequired by NIST SP 800-53A, Rev. 1. NIST SP 800-53A, Rev. 1 requires\nassessor\xe2\x80\x99s document areas such as the assessment date, key elements for\nassessment reporting, sites assessed, and the assessor\xe2\x80\x99s identification. 23\n\nTable 2 illustrates the comparison between the security control outlined in NIST\nSP 800-53A, Rev. 1, CA-2.2, Security Assessments and the systems evaluated\nin our sample. 24\n\nTable 2: CA-2.2. Detail for the Systems NIT Evaluated\n OIT Modified Assessment     OIT\xe2\x80\x99s ST&E Response for                 System     NIT\xe2\x80\x99s Evaluation Result\nObjective for Control CA 2.2      Control CA-2.2.                    Names\nControl was not evaluated and an   No CA-2.2. Control was not                  Control was not evaluated and\nexplanation why it was not         evaluated and an explanation                an explanation why it was not\nevaluated was not provided.        why it was not evaluated was                evaluated was not provided.\n                                   not provided.\nDoes the organization produce a    See CA-2.2. This ST&E is                    Does not provide sufficient\nsecurity assessment report that    being published as part of the              level of detail or identify the\ndocuments the results of the       first assessment of                         date of assessment\nassessment?                        security controls. A Risk\n                                   Assessment Summary report\n                                   is being delivered concurrently\n                                   with this ST&E Results Report\n                                   and an updated POA&M.\nDoes the organization produce a    See CA-2.2. This ST&E is                    Does not provide sufficient\nsecurity assessment report that    being published as part of the              level of detail or identify the\ndocuments the results of the       third assessment of                         date of assessment\nassessment?                        security controls. A Revised\n                                   Risk Assessment Summary\n                                   report is being delivered\n                                   concurrently with this ST&E\n                                   Results Report and an\n                                   updated POA&M.\nDoes the organization produce a    See CA-2.2. This ST&E is                    Does not provide sufficient\nsecurity assessment report that    being published as part of the              level of detail or identify the\ndocuments the results of the       second assessment of                        date of assessment\nassessment?                        security controls. A Revised\n                                   Risk Assessment Summary\n                                   report and an updated POA&M\n                                   are being delivered\n                                   concurrently with this ST&E\n                                   Results Report.\n\nN/A                                       is a contractor system,              N/A\n                                   and ST&Es are not required\n                                   for contractor systems.\n\n\n\n\n23\n   NIST SP 800-53A, Rev. 1, p. G-1, Appendix G.\n24\n   NIST SP 800-53A, Rev. 1, p. F-81.\n25\n   We reviewed 3 of the 11 information systems in our sample and found the same response for this control.\n26\n   We reviewed 4 of the 11 information systems in our sample and found the same response for this control.\nReview of the SEC\xe2\x80\x99s Systems C&A Process                                                    March 27, 2013\nReport No. 515\n                                               Page 10\n\n                                REDACTED PUBLIC VERSION\n\x0c OIT Modified Assessment     OIT\xe2\x80\x99s ST&E Response for                   System    NIT\xe2\x80\x99s Evaluation Result\nObjective for Control CA 2.2      Control CA-2.2.                      Names\nDoes the organization produce a      See CA-2.2. This ST&E is                   Does not provide sufficient\nsecurity assessment report that      being published as part of the             level of detail or identify the\ndocuments the results of the         first assessment of                        date of assessment\nassessment?                          security controls. A Risk\n                                     Assessment Summary report\n                                     is being delivered concurrently\n                                     with this ST&E Results Report\n                                     and an initial POA&M.\nDoes the organization produce a      See CA-2.2. This ST&E is                   Does not provide sufficient\nsecurity assessment report that      being published as part of the             level of detail or identify the\ndocuments the results of the         reassessment of       security             date of assessment\nassessment?                          controls. A Revised Risk\n                                     Assessment Summary report\n                                     and updated POA&M are\n                                     being delivered concurrently\n                                     with this ST&E Results Report.\nSource: NIT Generated\n\nThe 11 systems in our sample had no evidence the assessor provided a\nsufficient level of detail for the assessment. Accordingly, the ST&Es for the\nsystems did not list the date the security control was evaluated.\n\nThe security control assessor is \xe2\x80\x9c[t]he individual, group, or organization\nresponsible for conducting a security control assessment.\xe2\x80\x9d 27 We were told OIT\ndoes not require the security control assessor to identify the evaluation date. OIT\nuses a manual process to conduct these assessments. However, automated\nC&A tools are available that could simplify this process by automatically\nrecording the assessor\xe2\x80\x99s name, date of the assessment for each control, and\nrequire assessors to provide detail. OIT\xe2\x80\x99s manual ST&E process requires the\nassessor to type-in its results in evaluating security controls and managing the\nC&A process. OIT informed us they will implement an automated solution, which\nwill become effective by 2014.\n\nEvidence and Artifacts\nNIST SP 800-53A, Rev. 1 states that the assessors obtain evidence and artifacts\nfor the security control assessment:\n\n           Assessors obtain the required evidence during the assessment\n           process to allow the appropriate organizational officials to make\n           objective determinations about the effectiveness of the security\n           controls and the overall security state of the information system.\n\n           Security control assessors/assessment teams begin preparing for\n           the assessment by\xe2\x80\xa6 [o[btaining artifacts needed for the security\n27\n     NIST SP 800-37, Rev. 1, p. B-9, Appendix B.\nReview of the SEC\xe2\x80\x99s Systems C&A Process                                                     March 27, 2013\nReport No. 515\n                                                   Page 11\n\n                                 REDACTED PUBLIC VERSION\n\x0c         control assessment (e.g., policies, procedures, plans,\n         specifications, designs, records, administrator/operator manuals,\n         information system documentation, interconnection agreements,\n         previous assessment results)\xe2\x80\xa6 28\n\nOur ST&E review found the evidence and artifacts the assessors provided to\nsupport their ST&Es results did not have enough evidence that could be used to\nmake an objective determination regarding the effectiveness of the security\ncontrols and the overall security state of the system. In addition, the evidence\nand artifacts collected and used to support the security assessment results were\nnot mapped to a specific security control. For example, the documentation for\nthe                          systems (2 of the 11 systems in our sample\nuniverse) were labeled by the assessor as evidence to support the ST&Es\nincluded the SSP and system categorization, which were insufficient evidence or\nartifacts. We also found the documentation did not map to specific security\ncontrols or allow appropriate organization officials to make objective\ndeterminations about the effectiveness of the security controls and the overall\nsecurity state of the information system. An SSP is a formal document that\nprovides an overview of the security requirements for an information system and\ndescribes the security controls in place or planned for meeting those\nrequirements.\n\nTable 3 shown below consists of a comparison between the security control\noutlined in NIST SP 800-53A, Rev 1, CA-7.1, Continuous Monitoring and the\nST&Es. The responses found in the ST&Es do not reference any evidence or\nartifacts. 29\n\n\n\n\n28\n   NIST SP 800-53A, Rev. 1, p. 8, section 2.3; p. 14, Section 3.1.\n29\n   Ibid, p. F-87. Continuous monitoring is the process of tracking the security state of an information system\non an ongoing basis and maintaining the security authorization for the system over time. Understanding the\nsecurity state of information systems is essential in highly dynamic environments of operation with changing\nthreats, vulnerabilities, technologies, and mission and business processes. Network vulnerability\nassessments, ongoing security control assessments, and C&A are all components of continuous monitoring\nprograms.\nReview of the SEC\xe2\x80\x99s Systems C&A Process                                                     March 27, 2013\nReport No. 515\n                                                 Page 12\n\n                                 REDACTED PUBLIC VERSION\n\x0cTable 3: Evidence and Artifacts for CA-7.1 for the Systems NIT Evaluated\n OIT Modified Assessment            OIT\xe2\x80\x99s ST&E Response             System      NIT\xe2\x80\x99s Evaluation Result\n Objective for Control CA             for Control CA-7.1            Names\n            7.1\nDoes the organization establish   The SEC has mature                           No evidence or artifacts\na continuous monitoring           continuous monitoring and                    provided\nstrategy and implement a          configuration management\ncontinuous monitoring program     programs. SEC systems are\nthat includes a configuration     reaccredited when security-\nmanagement process for the        relevant changes are made.\ninformation system and its        System changes are\nconstituent components?           approved through a\n                                  documented process that\n                                  includes security review.\n                                  Continuous monitoring is\n                                  performed on [name of\n                                  system] components residing\n                                  on GSS devices. [name of\n                                  system] has also been stable\n                                  after being limited to a read-\n                                  only archive in November\n                                  2009. (Partially covered by\n                                                            30\n                                  GSS common controls)\n\n\n\n\n30\n   NIST SP 800-53, Rev. 3 states organizations assign a hybrid status to a security control when one part of\nthe control is common and another part is system-specific. NIST SP 800-53, Rev. 3, p. 11.\n31\n   We reviewed 8 of the 11 information systems in our sample and found the same response for this control.\nReview of the SEC\xe2\x80\x99s Systems C&A Process                                                    March 27, 2013\nReport No. 515\n                                                Page 13\n\n                                  REDACTED PUBLIC VERSION\n\x0c OIT Modified Assessment           OIT\xe2\x80\x99s ST&E Response             System    NIT\xe2\x80\x99s Evaluation Result\n Objective for Control CA            for Control CA-7.1            Names\n            7.1\nDoes the organization establish                                             No evidence or artifacts\na continuous monitoring             \xe2\x80\xa2   The SEC has mature                  provided\nstrategy and implement a                continuous monitoring\ncontinuous monitoring program           and configuration\nthat includes a configuration           management\nmanagement process for the              programs. SEC\ninformation system and its              systems are\nconstituent components?                 reaccredited when\n                                        security-relevant\n                                        changes are made.\n                                        System changes are\n                                        approved through a\n                                        documented process\n                                        that includes security\n                                        review. Continuous\n                                        monitoring is\n                                        performed on\n                                        components residing\n                                        on GSS devices. No\n                                        significant changes\n                                        have been made to the\n                                                application code\n                                        since it became\n                                        operational, but minor\n                                        changes have been\n                                        tracked in the\n\n                                        Configuration\n                                        Management tool.\n                                        Following this initial\n                                        C&A,          will\n                                        receive additional\n                                        continuous monitoring\n                                        attention (e.g., annual\n                                        review of user\n                                        accounts, the SSP,\n                                        and the DRP, and\n                                        quarterly review of\n                                        open POA&M\n                                        findings).\n                                    \xe2\x80\xa2   (Partially covered by\n                                        GSS common\n                                                  32\n                                        controls)\nN/A                                      is a contractor system,            N/A\n                                  and ST&Es are not required\n                                  for contractor systems.\n\n\n\n\n32\n     Ibid.\nReview of the SEC\xe2\x80\x99s Systems C&A Process                                                March 27, 2013\nReport No. 515\n                                                Page 14\n\n                                  REDACTED PUBLIC VERSION\n\x0c OIT Modified Assessment              OIT\xe2\x80\x99s ST&E Response         System    NIT\xe2\x80\x99s Evaluation Result\n Objective for Control CA               for Control CA-7.1        Names\n            7.1\nDoes the organization establish                                            No evidence or artifacts\na continuous monitoring           \xe2\x80\xa2      The SEC has mature                provided\nstrategy and implement a                 continuous monitoring\ncontinuous monitoring program            and configuration\nthat includes a configuration            management\nmanagement process for the               programs. SEC\ninformation system and its               systems are\nconstituent components?                  reaccredited when\n                                         security-relevant\n                                         changes are made.\n                                         System changes are\n                                         approved through a\n                                         documented process\n                                         that includes security\n                                         review. Continuous\n                                         monitoring is\n                                         performed on\n                                         components residing\n                                         on GSS devices. No\n                                         significant changes\n                                         have been made to the\n                                                  application\n                                         code since it became\n                                         operational, but minor\n                                         changes have been\n                                         tracked in the\n\n                                         Configuration\n                                         Management tool.\n                                                reviewed the\n                                                  SCRs in\n                                                      to verify\n                                         CM was being used\n                                         appropriately. Other\n                                         forms of monitoring\n                                         have also been\n                                         conducted (e.g.,\n                                         annual review of user\n                                         accounts, the SSP,\n                                         and the DRP, and\n                                         quarterly review of\n                                         open POA&M\n                                         findings).\n                                  (Partially covered by GSS\n                                                     33\n                                  common controls)\nSource: NIT Generated\n\nOIT informed us the information the assessor used to conduct and prepare the\nST&Es is generated and supplied by OIT. However, OIT\xe2\x80\x99s staff did not have\ndirect access or control of the ST&E documentation the contractor collected.\nAlso, we were informed this documentation is stored on the contractor\xe2\x80\x99s off-site\n\n\n33\n     Ibid.\nReview of the SEC\xe2\x80\x99s Systems C&A Process                                               March 27, 2013\nReport No. 515\n                                                Page 15\n\n                                  REDACTED PUBLIC VERSION\n\x0cserver that is owned by the assessor, and OIT approved the assessor storing the\ndata at the off-site location.\n\nConclusion\nWe determined OIT needs to improve its evaluation of the SEC\xe2\x80\x99s security\ncontrols for its systems. Specifically, we determined OIT is not ensuring they\nexamine, interview and test security controls; provide a sufficient level of detail\nfor each security control evaluated; and obtain evidence and artifacts to ensure\nthe information systems meet federal guidance and SEC policy. Further, we\nfound that the ST&E responses in our sample universe did not reference any\nevidence or artifacts. Therefore, we concluded if evidence and artifacts was\ncollected, stored on SEC servers, and referenced to the ST&E, the SEC would\nthen be able to ensure NIST SP 800-53A, Rev. 1 requirements were achieved\nand the security controls were properly reviewed.\n\nFinally, we determined to properly meet NIST\xe2\x80\x99s requirements, assessors should\ncollect and document enough evidence within the ST&E, map the evidence to the\nspecific security controls, and keep the information in a centralized repository for\nfuture reference only on an SEC server.\n\n   Recommendation 1:\n\n   The Office of Information Technology should implement a centralized\n   repository for managing certification and accreditation activities including the\n   security test and evaluation process (i.e., evidence, artifacts, assessor date,\n   and sites assessed).\n   Management Comments. OIT concurred with this recommendation. See\n   Appendix VI for management\xe2\x80\x99s full comments.\n\n   OIG Analysis. We are pleased that OIT concurred with this\n   recommendation. OIG considers this recommendation resolved. However,\n   this recommendation will remain open until documentation is provided to OIG\n   that supports it has been fully implemented.\n\n   Recommendation 2:\n\n   The Office of Information Technology should determine if the Commission\n   has certification and accreditation files that are stored on its contractor\xe2\x80\x99s off-\n   site servers and, in the future, require contractor to maintain all Commission\n   files on servers the Commission owns and manages.\n\n\n\nReview of the SEC\xe2\x80\x99s Systems C&A Process                                  March 27, 2013\nReport No. 515\n                                      Page 16\n\n                          REDACTED PUBLIC VERSION\n\x0c     Management Comments. OIT concurred with this recommendation. See\n     Appendix VI for management\xe2\x80\x99s full comments.\n\n     OIG Analysis. We are pleased that OIT concurred with this\n     recommendation. OIG considers this recommendation resolved. However,\n     this recommendation will remain open until documentation is provided to OIG\n     that supports it has been fully implemented.\n\n\nFinding 2: OIT Did Not Develop Security Status\nReports for SEC\xe2\x80\x99s Systems the DAA Could\nReview\n        OIT did not develop security status reports for the\n        information systems in our sample.           As a result, we\n        determined the SEC\xe2\x80\x99s systems are operating at an elevated\n        risk level for information system exploitation.\n\nNIST SP 800-37, Rev. 1, requires the DAA to verify the terms and conditions of\nthe authorization on an ongoing basis, specifically, that \xe2\x80\x9c[t]he authorizing official\nverifies on an ongoing basis, that the terms and conditions established as part of\nthe authorization are being followed by the information system owner or common\ncontrol provider.\xe2\x80\x9d 34\n\nAn authorization to operate (ATO) letter is the official management decision to\nauthorize the operation of an information system and to accept the risk to the\norganizational operations including mission, functions, or reputation. 35 The DAA\nissues an ATO after reviewing the results of the C&A package to determine risk\nto the SEC. An ATO is required for each SEC information system. Consistent\nwith the NIST SP 800-37 requirements, the SEC\xe2\x80\x99s ATOs for the 11 systems in\nour sample state, specifically, that \xe2\x80\x9c[t]he security accreditation of the information\nsystem will remain in effect as long as (i) the required security status report for\nthe system are submitted to this office every year\xe2\x80\xa6.\xe2\x80\x9d 36\n\nSecurity status reports describe or summarize key changes to security plans,\nsecurity assessment reports, and plans of action and milestones. 37 These\ndocuments identify information security vulnerabilities and the plans to address\nthem.\n\n\n34\n   NIST SP 800-37, Rev. 1, p. 36, Chapter 3.\n35\n   Ibid, p. B-1, Glossary.\n36\n   This is the Office of the Chief Information Officer.\n37\n   NIST SP 800-37, Rev. 1, p. G-2, Appendix G, Footnote No. 86.\nReview of the SEC\xe2\x80\x99s Systems C&A Process                                 March 27, 2013\nReport No. 515\n                                              Page 17\n\n                               REDACTED PUBLIC VERSION\n\x0cOIT did not develop security status reports for the systems in our judgmental\nsample and, therefore, did not comply with its ATO letter requirements. OIT\xe2\x80\x99s\ncontractor evaluated its controls on a three-year cycle, rather than using a\ncontinuous monitoring approach and assessing a subset of controls on an annual\nbasis, in accordance with NIST SP 800-37, Rev. 1. Continuous monitoring is the\nprocess of tracking the security state of an information system on an ongoing\nbasis and maintaining the security authorization for the system over time.\nUnderstanding the security state of information systems is essential in highly\ndynamic environments of operation with changing threats, vulnerabilities,\ntechnologies, and mission and business processes. Network vulnerability\nassessments, ongoing security control assessments, and C&As are all\ncomponents of continuous monitoring programs. As a result, if security controls\nare not assessed annually, OIT is unable to fully generate an updated annual\nsecurity status report that identifies vulnerabilities to the SEC\xe2\x80\x99s systems.\n\nOIT did not provide evidence that status reports are developed annually in the\npast. Though we requested system security status reports and documentation\nfrom OIT, we only received C&A documentation for the three-year certification\ncycle.\n\nConclusion\nWe determined the DAA is not reviewing and verifying the terms and conditions\nset forth in the system authorization on an annual basis as described in the ATO.\nConsequently, all 11 systems in our sample are operating without the proper\nauthority. Our review found that the DAA is reviewing and verifying the terms\nand conditions of the SEC\xe2\x80\x99s security controls on a three-year cycle and not on a\ncontinuous basis. We determined that because security controls were not\nreviewed and a security status report is not developed at least annually, SEC\xe2\x80\x99s\nsystems are operating at an elevated risk of exploitation level to its information\nsystems.\n\n   Recommendation 3:\n\n   The Office of Information Technology should develop and provide security\n   status reports to the designated approving authority as specified in their\n   authorization to operate memorandums.\n   Management Comments. OIT concurred with this recommendation. See\n   Appendix VI for management\xe2\x80\x99s full comments.\n\n   OIG Analysis. We are pleased that OIT concurred with this\n   recommendation. OIG considers this recommendation resolved. However,\n   this recommendation will remain open until documentation is provided to OIG\n   that supports it has been fully implemented.\nReview of the SEC\xe2\x80\x99s Systems C&A Process                              March 27, 2013\nReport No. 515\n                                      Page 18\n\n                          REDACTED PUBLIC VERSION\n\x0cFinding 3: PII is Inconsistently Documented in\nSome C&A Packages\n        Personally Identifiable Information (PII) for 3 of the 11\n        systems we reviewed was inconsistent with other C&A\n        documentation obtained during our assessment. As a result,\n        PII is potentially not being properly protected.\n\nPII is information in an IT system or online collection system that directly\nidentifies an individual by name, address, social security number or other\nidentifying number or code, telephone number, email address, etc. In addition,\nPII may be comprised of information an agency intends to identify specific\nindividuals in conjunction with other data elements such as indirect identification.\nThese data elements may also include identifying factors such as gender, race,\nbirth date, geographic indicator and other descriptors. 38\nNIST SP 800-60, Volume 1, Revision 1, Guide for Mapping Types of Information\nand Information Systems to Security Categories (NIST SP 800-60, Rev. 1),\naddresses the FISMA direction to develop guidelines recommending that\nagencies conduct privacy impact assessments to determine if their information\nsystems contain PII. The guidance further states:\n\n        Agencies are required to conduct Privacy Impact Assessments\n        (PIA) before developing IT systems that contain personally\n        identifiable information or before collecting personally identifiable\n        information electronically\xe2\x80\xa6.Categorizations should be reviewed to\n        ensure that the adverse effects of a loss of PII confidentiality have\n        been adequately factored into impact determinations. The\n        confidentiality impact level should generally fall into the moderate\n        range. 39\n\nThe E-Government Act of 2002 establishes the requirement for agencies to\nconduct PIA for information systems and states the following:\n\n        \xe2\x80\xa6This law mandates that each agency shall: \xe2\x80\x94conduct a privacy\n        impact assessment; ensure the review of the privacy impact\n        assessment by the Chief Information Officer, or equivalent official,\n        as determined by the head of the agency; and if practicable, after\n        completion of the review under clause (ii), make the privacy impact\n\n\n38\n   U.S. Securities and Exchange Commission, Office of Information Technology, Privacy Impact Assessment\nGuide (Revised January 2007).\n39\n   NIST SP 800-60, Volume I, Rev. 1, Volume I: Guide for Mapping Types of Information and Information\nSystems to Security Categories (August 2008), p. 30, Section 4.4.2.\nReview of the SEC\xe2\x80\x99s Systems C&A Process                                               March 27, 2013\nReport No. 515\n                                              Page 19\n\n                               REDACTED PUBLIC VERSION\n\x0c        assessment publicly available through the website of the agency,\n        publication in the Federal Register, or other means. 40\n\nTo address PII requirements SEC\xe2\x80\x99s C&A packages include privacy analysis\nworksheets (PAW) and/or PIA. The PAW is completed to determine whether a\nfull PIA is required. A PIA is an analysis of how information is handled to ensure\nhandling conforms to applicable legal, regulatory, and policy requirements\nregarding privacy. It is used to determine the risks and effects of collecting,\nmaintaining, and disseminating information in identifiable form in an electronic\ninformation system and to examine and evaluate protections and alternative\nprocesses for handling information to mitigate potential privacy risks.\xe2\x80\x9d 41\n\nWe reviewed copies of the PAWs and PIAs that the SEC\xe2\x80\x99s Privacy Office used\nfor the systems in our sample universe and found the PAWs/PIAs\nrepresentations regarding PII for the                               systems were\ninconsistent with other C&A documentation. Specifically, the system\ncategorization documentation received during the assessment was inconsistent\nwith the C&A documentation. \xe2\x80\x9cThe [system categorization] process is carried out\nby the information system owner and information owner/steward in cooperation\nand collaboration with appropriate organizational officials (i.e., senior leaders with\nmission/business function and/or risk management responsibilities). The security\ncategorization process is conducted as an organization-wide activity taking into\nconsideration the enterprise architecture and the information security\narchitecture\xe2\x80\xa6.The results of the security categorization process influence the\nselection of appropriate security controls for the information system and also,\nwhere applicable, the minimum assurance requirements for that system.\xe2\x80\x9d 43\n\n                The        system did not have a PAW disposition. Therefore,\nthe system may contain PII. Based on our review of the EMTS system\xe2\x80\x99s C&A\ndocumentation, we were unable to determine if the system contained PII. The\nsystem owner informed us it did not contain PII. At the time of our review this\nsystem was in use.\n\n                 Based on our review of the PAW for the        system, we\ndetermined the system did not contain PII. However, the system categorization\nwithin the risk assessment and SSP identified the system as having PII. The\nsystem owner informed us that the system did not contain PII, which is consistent\nwith its PAW disposition. At the time of our review this system was in use.\n\n\n\n40\n   Office of Management and Budget Memorandum M-03-22, OMB Guidance for Implementing the Privacy\nProvisions of the E-Government Act of 2002, (September 2003), Attachment b, Section 208B.\n41\n   NIST SP 800-53, Rev. 3, p.B-9, Glossary.\n42\n   Represents 3 of the 11 systems in our sample.\n43\n   NIST SP 800-37, Rev. 1, p. 21, Section 3.1, Task 1-1.\nReview of the SEC\xe2\x80\x99s Systems C&A Process                                           March 27, 2013\nReport No. 515\n                                           Page 20\n\n                             REDACTED PUBLIC VERSION\n\x0c                   Our review of the          system included a PIA that identified\nthe system as containing PII. However, the system categorization, risk\nassessment, and SSP did not identify the system as having PII. The system\nowner also informed us the system contained PII, which is consistent with the\nPIA\xe2\x80\x99s disposition. At the time of our review this system was in use.\n\nNIT requested documentation on January 9, 2013 confirming if the\n             systems contained PII. However, we were not provided any\nevidence. SEC\xe2\x80\x99s Privacy Office and OIT were working to provide us with\ndocumentation to resolve this matter. Table 4, shown below, outlines the\ndiscrepancies between the PAW disposition/PIA disposition and the security\ncategorization for the                          systems.\n\nTable 4: NIT\xe2\x80\x99s Privacy Analysis of\n   System          PAW            PIA          Privacy        Project# 515        Privacy Office /\n    Name        Disposition   Disposition      Office\xe2\x80\x99s         Analysis         OIT\xe2\x80\x99s Responses\n                                                Notes\n              Pending         Pending       No            No determination      The Privacy Office\n                                            determination from the privacy      previously worked with\n                                            from the      office. The system is the DIO for the system\n                                            privacy officein production without to obtain a completed\n                                                          a disposition of the PAW and PIA. Our\n                                                          PAW. This system team will contact the\n                                                          may possibly contain system owner to\n                                                          PII.                  complete the pending\n                                                                                PAW and PIA for the\n                                                                                system by February\n                                                                                15, 2013.\n              Completed, PIA Not            Approved      The PAW states        The Privacy Office will\n              Not Required   Completed      11/21/07 (PIA there is no PII. The work with the system\n                                            n/a)          system                owner to complete an\n                                                          categorization in the updated PAW and PIA\n                                                          2011 risk             to reflect the current\n                                                          assessment and        status of the system by\n                                                          2011 SSP (dated       February 15, 2013.\n                                                          June 27, 2007)\n                                                          states the existence\n                                                          of PII in the system,\n                                                          but there is no PIA.\n              Not Completed   Completed     Approved      The PIA identifies    (This response is not\n                                            6/10/08       PII. However, the     from the Privacy\n                                                          system                Office, but from OIT):\n                                                          categorization in the The documents have\n                                                          2011 risk             been updated and\n                                                          assessment and        we\xe2\x80\x99re awaiting\n                                                          2011 SSP (dated       signatures from all\n                                                          November 30, 2007) concerned.\n                                                          does not identify the\n                                                          system as having\n                                                          PII.\nSource: NIT Generated\n\n\n\n\nReview of the SEC\xe2\x80\x99s Systems C&A Process                                              March 27, 2013\nReport No. 515\n                                            Page 21\n\n                              REDACTED PUBLIC VERSION\n\x0c   Table Response Options\n   \xe2\x80\xa2   Completed, PIA Required \xe2\x80\x93 The PAW was completed and a PIA is required.\n   \xe2\x80\xa2   Completed, PIA Not Required \xe2\x80\x93 The PAW was completed and a PIA is not required.\n   \xe2\x80\xa2   Not Completed \xe2\x80\x93 The documentation was not completed.\n   \xe2\x80\xa2   Pending \xe2\x80\x93 There is no determination from the Privacy Office.\n\nTable 4 further shows the missing documents, which we attributed to the lack of\nsystem owner involvement during the categorization process to provide direction\non identifying PII within systems. Additionally, based on our review of the PAWs\nand PIAs for                     , we determined OIT did not effectively document\nthe PII classification in the C&A documentation. As a result, there is a potential\nthat PII is not being properly protected, which could result in improper release of\nPII to unauthorized individuals.\n\nConclusion\nOverall, we found the PAWs/PIAs representations regarding the inclusion of PII\nfor                           was inconsistent with the C&A documentation that\nwas provided for the assessments, in particular, the system categorization. Our\ninterviews with system owners found many were able to identify whether PII was\nin their respective systems. Therefore, involving system owners in the\ncategorization process would provide OIT with better direction to identify PII\nwithin the system and correctly document PII within C&A documents.\n\n   Recommendation 4:\n\n   The Office of Information Technology (OIT) should review the security\n   documentation in the certification and accreditation packages, including\n   system categorization documents, risk assessment documents, and system\n   security plans to ensure that references to personally identifiable information,\n   privacy impact assessments, and privacy analysis worksheets, are\n   consistently providing the same disposition regarding Personally Identifiable\n   Information.\n\n   Management Comments. OIT concurred with this recommendation. See\n   Appendix VI for management\xe2\x80\x99s full comments.\n\n   OIG Analysis. We are pleased that OIT concurred with this\n   recommendation. OIG considers this recommendation resolved. However,\n   this recommendation will remain open until documentation is provided to OIG\n   that supports it has been fully implemented.\n\n\n\n\nReview of the SEC\xe2\x80\x99s Systems C&A Process                                            March 27, 2013\nReport No. 515\n                                           Page 22\n\n                             REDACTED PUBLIC VERSION\n\x0cFinding 4: SEC Information System Owners Did\nNot Fully Understand Their Roles and\nResponsibilities in the C&A Process\n        SEC information system owners did not fully understand\n        their roles and responsibilities in the C&A process. As a\n        result, they approved C&A packages without having any\n        technical knowledge.\n\nSystem Owner Roles and Responsibilities\n\nNIST SP 800-37, Rev. 1, defines the information system owner as a person\n\xe2\x80\x9cresponsible for addressing the operational interests of the user community (i.e.,\nusers who require access to the information system to satisfy mission, business,\nor operational requirements) and for ensuring compliance with information\nsecurity requirements.\xe2\x80\x9d44 Further, NIST SP 800-37, Rev. 1 explains the RMF\nresponsibilities/tasks of the system owner.\n\n        The Risk Management Framework and associated RMF tasks\n        apply to both information system owners and common control\n        providers. In addition to supporting the authorization of information\n        systems, the RMF tasks support the selection, development,\n        implementation, assessment, authorization, and ongoing monitoring\n        of common controls inherited by organizational information\n        systems. 45\n\nInformation system owners are also responsible for input into the certification and\naccreditation process for a system, including providing input into the supporting\ndocumentation package. A comprehensive C&A documentation package consists\nof the following documents.46\n\n        \xe2\x80\xa2    FIPS 199 analysis\n        \xe2\x80\xa2    Security assessment plan (include a tailored control list)\n        \xe2\x80\xa2    ST&E report\n        \xe2\x80\xa2    Risk assessment\n        \xe2\x80\xa2    SSP\n        \xe2\x80\xa2    POA&M report\n        \xe2\x80\xa2    Security assessment report\n        \xe2\x80\xa2    ATO\n\n44\n   NIST 800-37, Rev. 1, page D-5, Appendix D, Section D.9.\n45\n   Ibid, p. 20.\n46\n   Title II, Pub. L, No. 107-347 (December 17, 2002).\nReview of the SEC\xe2\x80\x99s Systems C&A Process                                   March 27, 2013\nReport No. 515\n                                              Page 23\n\n                               REDACTED PUBLIC VERSION\n\x0cInformation system owners are required to categorize information systems and\ndocument the results, 47 help select the security controls, 48 and assist with\npreparing POA&Ms and assembling the C&A package. 49 Our interviews with\ninformation system owners found they do not fully understand their roles and\nresponsibilities in the C&A process, but sign-off on systems documentation that\nis presented to them for C&A packages.\n\nWe interviewed nine system owners and they informed us that they understood\ntheir roles as a system owner. 50 However, one system owner told us she was\ngiven a C&A package, but did not understand what the documents represented\nand signed the ATO as a formality. Overall, our evaluation found that 5 of 9\nsystem owners are not familiar with system categorization; 6 of 9 system owners\ndid not know the number of POA&Ms for their system; 3 of 9 system owners\nindicated they signed the ATO memo without fully understanding its significance;\nand 4 of 9 system owners did not attend any formal briefing.\n\nTraining\n\nNIST SP 800-16, Information Technology Security Training Requirements: A\nRole and Performance Based Model (NIST SP 800-16), states that \xe2\x80\x9cprior to be\ngranted access to IT applications and systems, all individuals must receive\nspecialized training focusing on their IT security responsibilities and established\nsystem rules. 51\n\nWe determined the system owners did not receive formal role-based IT security\ntraining or guidance based on their roles and responsibilities . As a result, the\nsystem owners are approving C&A packages without having technical\nknowledge. This results in data potentially not being properly protected.\n\nConclusion\nWe determined that system owners do not have an adequate understanding of\ntheir roles and responsibilities and have not been provided specialized training\nfocusing on their IT security responsibilities.\n\n\n\n\n47\n   NIST 800-37, Rev. 1, p. 21, Section 3.1, Task 1.1.\n48\n   Ibid, p. 25, Section 3.2, Task 2.2.\n49\n   Ibid, p. 34, Section 3.5, Tasks 5.1 and 5.2.\n50\n   We were unable to obtain interviews with the                      system owners. We interviewed both\nthe former and current          system owners.\n51\n   NIST SP 800-16. Information Technology Security Training Requirements: A Role and Performance\nBased Model (April 1998), Chapter 1, p. 3. See also OMB Circular A-130, Management of Federal\nInformation Resources, Appendix III, Security of Federal Automated Information Resources.\nReview of the SEC\xe2\x80\x99s Systems C&A Process                                                March 27, 2013\nReport No. 515\n                                              Page 24\n\n                               REDACTED PUBLIC VERSION\n\x0c     Recommendation 5:\n\n     The Office of Information Technology should provide a documented brief that\n     management officials (system owners) can use as a resource reference.\n\n     Management Comments. OIT concurred with this recommendation. See\n     Appendix VI for management\xe2\x80\x99s full comments.\n\n     OIG Analysis. We are pleased that OIT concurred with this\n     recommendation. OIG considers this recommendation resolved. However,\n     this recommendation will remain open until documentation is provided to OIG\n     that supports it has been fully implemented.\n\n\nFinding 5: DAA Has Not Had Formal Role-Based\nIT Security Training\n        The DAA has not had formal role-based IT security-related\n        training. Having role-based training would enhance the\n        DAA\xe2\x80\x99s understanding of federal IT security standards.\n\nOIT\xe2\x80\x99s CIO is designated as the DAA. The DAA\xe2\x80\x99s primary responsibilities include\nreviewing the SEC\xe2\x80\x99s security risks and making a final decision whether to\nauthorize operations, delay operation to allow mitigation of risks prior to\nauthorizing, or deny operation based on findings of risk for the information\nsystems. The DAA has an integral role and responsibility for authorizing\nsystems, potentially including vulnerabilities, to operate in a production\nenvironment.\n\nNIST 800-50, Building an Information Technology and Security Awareness\nTraining Program, states that CIOs \xe2\x80\x9care tasked by the FISMA to administer\ntraining and oversee personnel with significant responsibilities for information\nsecurity.\xe2\x80\x9d 52\n\nNIST SP 800-53, Rev. 3 requires \xe2\x80\x9crole-based security-related training based on\nassigned roles and responsibilities in which \xe2\x80\x9cthe organization determines the\nappropriate content of security training based on assigned roles and\nresponsibilities and the specific requirements of the organization and the\ninformation systems to which personnel have authorized access.\xe2\x80\x9d53\n\n\n52\n   NIST SP 800-50, Building an Information Technology Security Awareness and Training Program (October\n2003), p. 3, Section 1.5.2.\n53\n   NIST SP 800-53, Rev. 3, p. F-22.\nReview of the SEC\xe2\x80\x99s Systems C&A Process                                              March 27, 2013\nReport No. 515\n                                             Page 25\n\n                              REDACTED PUBLIC VERSION\n\x0cConsistent with the NIST requirements, the SEC Implementing Instruction\n24-04-03-01, IT Security Awareness Training states, \xe2\x80\x9c[R\xe2\x80\xa6[role-based]\ntraining is required of employees holding certain IT positions, specifically\nthose that have access to or knowledge of SEC sensitive data or\nmaterials.\xe2\x80\x9d 54\n\nAccording to the SEC\xe2\x80\x99s OIT Security Policy Framework Handbook, the roles and\nresponsibilities of the DAA for the Commission include:\n\n     \xe2\x80\xa2   Providing advice and assistance to senior management to ensure\n         IT is acquired and information resources are managed in a manner\n         consistent with laws, Executive Orders, directives, policies,\n         regulations, and priorities established by the head of the agency.\n     \xe2\x80\xa2   Developing, maintaining, and facilitating the implementation of a\n         sound information security program.\n     \xe2\x80\xa2   Promoting the effective and efficient design and operation of all\n         major information resources management processes. 55\n\nThe DAA, who has worked at the SEC since October 2010, informed us that\nalthough he has knowledge of the SEC\xe2\x80\x99s sensitive data, he has not attended any\nformal, role-based IT security-related training. The DAA was unaware that such\ntraining was a NIST requirement or OIT policy. The DAA relies on OIT security\nstaff to provide IT security and FISMA related expertise and guidance, including\nwhen the DAA should authorize a system to operate.\n\nThe DAA authorized the operations of 10 of the 11 information systems in our\nsample universe. 56 Thus, the DAA explicitly accepted the risk to the SEC\xe2\x80\x99s\noperations and organizational assets based on an agreed-upon set of security\ncontrols. Having formal training in NIST and FISMA\xe2\x80\x99s requirements, would\nenhance the DAA\xe2\x80\x99s understanding of risks to the SEC\xe2\x80\x99s operations in areas such\nas mission, functions, image, reputation, or assets.\n\nConclusion\nThe DAA has not taken role-based training and is responsible for providing\nadvice and assistance to senior management regarding SEC\xe2\x80\x99s systems;\ndeveloping, maintaining, and facilitating the implementation of a sound\ninformation security program; and promoting the effective and efficient design\nand operation of all major information resources management processes.\n\n54\n   Implementing Instruction, IT Security Awareness Training, Policy No. 24-04-03-01 (Dec. 29, 2005), p. 4,\nSection 5b(1).\n55\n   OIT Security Policy Framework Handbook, CIO-PD-08-06 (August 2012), p. 7.\n56\n   The DAA authorized the operation of\n               systems.\nReview of the SEC\xe2\x80\x99s Systems C&A Process                                                    March 27, 2013\nReport No. 515\n                                                Page 26\n\n                                REDACTED PUBLIC VERSION\n\x0cThe DAA should consider attending role-based information technology security\ntraining to further enhance his understanding of the National Institute of\nStandards and Technology and Federal Information Security Management Act\nrequirements.\n\n\nFinding 6: OIT Did Not Identify the Portion of\nHybrid Controls GSS Inherited and the Portion\nCovered by System-Specific Controls\n        The ST&Es for the application specific SEC systems did not\n        identify the portion of hybrid controls that were inherited by\n        GSS, or the portion that is covered by the system-specific\n        controls. 57 This could result in a portion of security controls\n        not being properly evaluated and security vulnerabilities not\n        being detected.\n\nOIT did not identify the portion of the hybrid controls that were inherited by the\nGSS and the portion covered by the system-specific controls in accordance with\nNIST SP 800-37, Rev. 1, 58 which state there are \xe2\x80\x9c\xe2\x80\xa6three types of security\ncontrols for information systems that can be employed by an organization: (i)\nsystem-specific controls (i.e., controls that provide a security capability for a\nparticular information system only); (ii) common controls (i.e., controls that\nprovide a security capability for multiple information systems); or (iii) hybrid\ncontrols (i.e., controls that have both system-specific and common\ncharacteristics). 59 Further, the security controls are subsequently allocated to the\ninformation systems as system-specific, hybrid, or common controls. 60\n\nOIT documented security controls that were partially covered by GSS common\ncontrols in the ST&Es in our sample information system universe, but did not\nspecify which portion of the hybrid controls is inherited by the GSS, or the portion\nthat is covered by the system-specific controls.\n\nHybrid Controls\nHybrid controls are controls having both system-specific and common\ncharacteristics. 61 For example, contingency planning policy and procedures\n\n57\n   The GSS is \xe2\x80\x9c[a]n interconnected set of information resources under the same management control that\nshares common functionality.\xe2\x80\x9d NIST SP 800-18, Rev. 1, p. 33, Glossary.\n58\n   Ibid.\n59\n   NIST SP 800-37, Rev. 1, p. 16, Section 2.4.\n60\n   Ibid, p. 7, Section 2.1.\n61\n   Ibid, p. 16, Section 2.4.\nReview of the SEC\xe2\x80\x99s Systems C&A Process                                                 March 27, 2013\nReport No. 515\n                                               Page 27\n\n                               REDACTED PUBLIC VERSION\n\x0ccontrol may be implemented as a hybrid control. 62 The policy portion of the\ncontrol may be common (shared). However, the procedures may differ for each\nsystem. Since the policy is common, but the procedures are specific to each\nsystem, this control is considered hybrid.\n\nSystem-Specific Controls\nUnlike common controls which are evaluated once and the evaluation results can\nbe inherited by many systems, system-specific controls apply to each individual\nsystem and must be individually evaluated for each system. A system-specific\ncontrol is \xe2\x80\x9c[a] security control for an information system that has not been\ndesignated as a common security control.\xe2\x80\x9d 63 For example, the privacy impact\nassessment control may require testing on a limited number of information\nsystems containing PII. 64 Since the application of this control does not apply to\nall systems within the GSS it cannot be inherited and is considered a system-\nspecific control. Controls which are neither common nor hybrid are system-\nspecific and pertain to a specific system.\n\nCommon Controls\n\xe2\x80\x9cCommon controls are security controls inherited by one or more organizational\ninformation systems.\xe2\x80\x9d 65 They typically originate from the GSS and are accepted\nfor use by major or minor applications. For example, the physical and\nenvironmental protection (PE) control family is typically evaluated for the GSS. 66\nMajor and minor applications associated with the GSS will not reevaluate the PE\ncontrols. Since the major or minor applications are hosted in the same\ncomputing environment as the GSS, the major and minor applications can inherit\nthe PE security controls from the GSS. This reduces the need for repeat use of\nidentical controls and reduces the resources required for implementing and\nevaluating security controls.\n\nIdentification of Hybrid and System-Specific Controls\nNIST SP 800-53, Rev. 3 states that organizations assign a hybrid status to a\nsecurity control when one part of the control is common and another part is\nsystem-specific. The guidance further states:\n\n         Security controls not designated as common controls are\n         considered system-specific controls or hybrid controls. System-\n\n62\n   NIST SP 800-53, Rev. 3, p. F-47.\n63\n   NIST SP 800-18, Rev. 1, p. 39, Glossary.\n64\n   NIST SP 800-53, Rev. 3, p. F-87.\n65\n   NIST SP 800-37, Rev. 1, p. 24, Section 3.2, Task 2.1.\n66\n   NIST SP 800-53, Rev. 3, pp. D-4-D-5.\nReview of the SEC\xe2\x80\x99s Systems C&A Process                               March 27, 2013\nReport No. 515\n                                                Page 28\n\n                                REDACTED PUBLIC VERSION\n\x0c           specific controls are the primary responsibility of information system\n           owners and their respective authorizing officials. Organizations\n           assign a hybrid status to a security control when one part of the\n           control is deemed to be common and another part of the control is\n           deemed to be system-specific. 67\n\nWe reviewed the ST&Es for each information system in our sample universe to\ndetermine if OIT identifies the portion of the hybrid controls that are inherited by\nthe GSS and the portion that is covered by system-specific controls. Our\ndetailed ST&E review was based on a judgmental sample of approximately 12\npercent (24 of 200) security controls from OIT\xe2\x80\x99s ST&E documents. Overall, our\nreview found that application specific systems did not identify the hybrid controls\nportion that were inherited by the GSS, or the portion that was covered by the\nsystem-specific controls.\n\nOIT\xe2\x80\x99s ST&E documented response to \xe2\x80\x9cDoes the organization establish a\ncontinuous monitoring strategy and implement a continuous monitoring program\nthat includes a configuration management process for the information system\nand its constituent components?\xe2\x80\x9d The ST&E stated, \xe2\x80\x9cPartially covered by\ncommon controls provided by the GSS.\xe2\x80\x9d The response did not include the\nassessor\xe2\x80\x99s rationale for the hybrid controls. Further, we found OIT did not\nevaluate security controls based on the full evaluation criteria identified in NIST\nSP 800-53A, Rev 1.\n\nWe determined OIT\xe2\x80\x99s security staff has a general understanding of basic NIST\nconcepts such as the identification of common and hybrid controls, but lacks the\nunderstanding needed to identify the portion of the hybrid controls that are\ninherited by the GSS, or the portion that is covered by system-specific controls.\nThis occurred because OIT has not fully applied NIST guidance to identify the\nportion of the hybrid controls inherited by the GSS and the portion covered by the\nsystem-specific controls. We also found that OIT did not evaluate security\ncontrols based on the full evaluation criteria that is identified in NIST SP 800-\n53A, Rev 1.\n\nTable 5 below, demonstrates the comparison between the security control\noutlined in NIST SP 800-53A, Rev 1, CA-7.1, Continuous Monitoring and the\nST&Es in our sample universe. 68\n\n\n\n\n67\n     Ibid, p. 11.\n68\n     NIST SP 800-53A, Rev. 1, p. F-87.\nReview of the SEC\xe2\x80\x99s Systems C&A Process                                   March 27, 2013\nReport No. 515\n                                         Page 29\n\n                                 REDACTED PUBLIC VERSION\n\x0cTable 5: Identification of Hybrid and System-Specific Controls for CA-7.1\nfor the Systems Evaluated\n OIT Modified Assessment            OIT\xe2\x80\x99s ST&E Response             System      NIT\xe2\x80\x99s Evaluation Result\n Objective for Control CA             for Control CA-7.1            Names\n            7.1\nDoes the organization establish   The SEC has mature                           Does not identify the portion\na continuous monitoring           continuous monitoring and                    of the hybrid controls\nstrategy and implement a          configuration management                     inherited by the GSS and the\ncontinuous monitoring program     programs. SEC systems are                    portion covered by the\nthat includes a configuration     reaccredited when security-                  system-specific controls\nmanagement process for the        relevant changes are made.\ninformation system and its        System changes are\nconstituent components?           approved through a\n                                  documented process that\n                                  includes security review.\n                                  Continuous monitoring is\n                                  performed on [name of\n                                  system] components residing\n                                  on GSS devices.[name of\n                                                                       0\n                                  system] has also been stable\n                                  after being limited to a read-\n                                  only archive in November\n                                  2009\n                                  (Partially covered by GSS\n                                                        69\n                                  common controls)\n\n\n\n\n69\n   NIST SP 800-53, Rev. 3 states organizations assign a hybrid status to a security control when one part of\nthe control is common and another part is system-specific. NIST SP 800-53, Rev. 3, p. 11.\n70\n   Our review of 8 of the 11 systems in our sample found the same response for this control.\nReview of the SEC\xe2\x80\x99s Systems C&A Process                                                    March 27, 2013\nReport No. 515\n                                                Page 30\n\n                                  REDACTED PUBLIC VERSION\n\x0c OIT Modified Assessment           OIT\xe2\x80\x99s ST&E Response             System      NIT\xe2\x80\x99s Evaluation Result\n Objective for Control CA            for Control CA-7.1            Names\n            7.1\nDoes the organization establish   The SEC has mature                          Does not identify the portion\na continuous monitoring           continuous monitoring and                   of the hybrid controls\nstrategy and implement a          configuration management                    inherited by the GSS and the\ncontinuous monitoring program     programs. SEC systems are                   portion covered by the\nthat includes a configuration     reaccredited when security-                 system-specific controls\nmanagement process for the        relevant changes are made.\ninformation system and its        System changes are\nconstituent components?           approved through a\n                                  documented process that\n                                  includes security review.\n                                  Continuous monitoring is\n                                  performed on\n                                  components residing on GSS\n                                  devices. No significant\n                                  changes have been made to\n                                  the        application code\n                                  since it became operational,\n                                  but minor changes have been\n                                  tracked in the\n                                  Configuration Management\n                                  tool. Following this initial\n                                  C&A,         will receive\n                                  additional continuous\n                                  monitoring attention (e.g.,\n                                  annual review of user\n                                  accounts, the SSP, and the\n                                  DRP, and quarterly review of\n                                  open POA&M findings).\n                                  (Partially covered by GSS\n                                                       71\n                                  common controls)\nN/A                                      is a contractor system,              N/A\n                                  and ST&Es are not required\n                                  for contractor systems.\n\n\n\n\n71\n  NIST SP 800-53, Rev. 3 states organizations assign a hybrid status to a security control when one part of\nthe control is common and another part is system-specific. NIST SP 800-53, Rev. 3, p. 11.\nReview of the SEC\xe2\x80\x99s Systems C&A Process                                                   March 27, 2013\nReport No. 515\n                                                Page 31\n\n                                  REDACTED PUBLIC VERSION\n\x0c OIT Modified Assessment           OIT\xe2\x80\x99s ST&E Response             System      NIT\xe2\x80\x99s Evaluation Result\n Objective for Control CA            for Control CA-7.1            Names\n            7.1\nDoes the organization establish   The SEC has mature                          Does not identify the portion\na continuous monitoring           continuous monitoring and                   of the hybrid controls\nstrategy and implement a          configuration management                    inherited by the GSS and the\ncontinuous monitoring program     programs. SEC systems are                   portion covered by the\nthat includes a configuration     reaccredited when security-                 system-specific controls\nmanagement process for the        relevant changes are made.\ninformation system and its        System changes are\nconstituent components?           approved through a\n                                  documented process that\n                                  includes security review.\n                                  Continuous monitoring is\n                                  performed on\n                                  components residing on GSS\n                                  devices. No significant\n                                  changes have been made to\n                                  the          application code\n                                  since it became operational,\n                                  but minor changes have been\n                                  tracked in the\n                                  Configuration Management\n                                  tool.       reviewed the\n                                            SCRs in\n                                  to verify CM was being used\n                                  appropriately. Other forms of\n                                  monitoring have also been\n                                  conducted (e.g., annual\n                                  review of user accounts, the\n                                  SSP, and the DRP, and\n                                  quarterly review of open\n                                  POA&M findings).\n                                  (Partially covered by GSS\n                                                       72\n                                  common controls)\nSource: NIT Generated\n\nAs demonstrated in Table 5, the responses found in the ST&E for the sample\nuniverse do not specifically identify the portion of the hybrid controls inherited by\nthe GSS, or the portion that was covered by the system-specific controls. Not\nknowing which controls are inherited and which ones are system-specific could\nresult in a portion of the security controls not being properly evaluated and\nsecurity vulnerabilities going undetected.\n\n\n\nOur review of the C&A package for the                 found the package did not\ninclude a list of common controls derived from the GSS within the SSP. When\ncreating the SSP for                application, OIT inadvertently did not include\na list of common controls that were derived from the GSS within the SSP. OIT\xe2\x80\x99s\n\n72\n  NIST SP 800-53, Rev. 3 states organizations assign a hybrid status to a security control when one part of\nthe control is common and another part is system-specific. NIST SP 800-53, Rev. 3, p. 11.\nReview of the SEC\xe2\x80\x99s Systems C&A Process                                                   March 27, 2013\nReport No. 515\n                                                Page 32\n\n                                  REDACTED PUBLIC VERSION\n\x0cSSP template contains a table for listing common controls inherited from the\nGSS. As a result, the security controls for the       system may not have been\nallocated properly, which could result in security controls not being properly\nevaluated.\n\nConclusion\nNIT determined OIT did not identify the portion of the hybrid controls that were\ninherited by GSS, or the portion that was covered by the system-specific controls\nfor the information systems in our sample universe. We further determined that\nOIT is not evaluating the security controls based on the full evaluation criteria\nthat is identified in NIST SP 800-53A, Rev. 1. Lastly, we found the C&A package\nfor the                does not include a list of common controls. As a result, a\nportion of the security controls may not be properly evaluated and security\nvulnerabilities may go undetected.\n\n   Recommendation 6:\n\n   The Office of Information Technology should identify the portion of the hybrid\n   controls that are inherited from the general support system and the portion\n   that should be evaluated as a system-specific control.\n   Management Comments. OIT concurred with this recommendation. See\n   Appendix VI for management\xe2\x80\x99s full comments.\n\n   OIG Analysis. We are pleased that OIT concurred with this\n   recommendation. OIG considers this recommendation resolved. However,\n   this recommendation will remain open until documentation is provided to OIG\n   that supports it has been fully implemented.\n\n   Recommendation 7:\n\n   The Office of Information Technology should review and update the\n                                  security plan and include a list of common\n   controls that was inherited from the general support system in accordance\n   with the approved system security plan template.\n\n   Management Comments. OIT concurred with this recommendation. See\n   Appendix VI for management\xe2\x80\x99s full comments.\n\n   OIG Analysis. We are pleased that OIT concurred with this recommendation.\n   OIG considers this recommendation resolved. However, this\n   recommendation will remain open until documentation is provided to OIG that\n   supports it has been fully implemented.\n\nReview of the SEC\xe2\x80\x99s Systems C&A Process                              March 27, 2013\nReport No. 515\n                                      Page 33\n\n                          REDACTED PUBLIC VERSION\n\x0c                                                                        Appendix I\n\n\n                               Abbreviations\n\n\n           ATO                Authorization to Operate\n\n\n\n           C&A                Certification and Accreditation\n           CIO                Chief Information Officer\n           CISO               Chief Information Security Officer\n           CSC                Continuity Support Center\n           DAA                Designated Approving Authority\n\n\n           FIPS               Federal Information Processing Standard\n           FISMA              Federal Information Security Management\n                              Act\n           GSS                General Support System\n           IT                 Information Technology\n\n\n           NIST               National Institute of Standards and\n                              Technology\n           NIT                Networking Institute of Technology, Inc.\n           OCA                Office of the Chief Accountant\n           OIG                Office of Inspector General\n           OIT                Office of Information Technology\n           OMB                Office of Management and Budget\n           PAW                Privacy Analysis Worksheet\n           PIA                Privacy Impact Analysis\n           PII                Personally Identifiable Information\n           POA&M              Plan of Actions and Milestones\n           RMF                Risk Management Framework\n           SEC or             U.S. Securities and Exchange Commission\n           Commission\n\n\n           SSP                System Security Plan\n           ST&E               Security Test and Evaluation\n\n\n\n\nReview of the SEC\xe2\x80\x99s Systems C&A Process                             March 27, 2013\nReport No. 515\n                                      Page 34\n\n                          REDACTED PUBLIC VERSION\n\x0c                                                                        Appendix II\n\n\n                                  Definitions\n\nFIPS 199 Analysis - The characterization of information or an information\nsystem based on an assessment of the potential impact that a loss of\nconfidentiality, integrity, or availability of such information or information system\nwould have on organizational operations, organizational assets, individuals, other\norganizations, and the Nation.\n\nSecurity Assessment Plan - Provides the objectives for the security control\nassessment, a detailed roadmap of how to conduct such an assessment, and\nassessment procedures.\n\nST&E Report - The security document that contains the assessment criteria and\nthe assessment results for the required security controls for each system.\n\nRisk Assessment - The process of identifying risks to organizational operations\n(including mission, functions, image, or reputation), organizational assets,\nindividuals, other organizations, and the Nation, resulting from the operation of\nan information system.\n\nSSP Formal Document - A document that provides an overview of the security\nrequirements for an information system and describes the security controls in\nplace or planned for meeting those requirements.\n\nPOA&M Report - A document that identifies tasks needing to be accomplished.\nIt details resources required to accomplish the elements of the plan, any\nmilestones in meeting the tasks, and scheduled completion dates for the\nmilestones.\n\nSecurity Assessment Report - The results of the security control assessment,\nincluding recommendations for correcting any weaknesses or deficiencies in the\ncontrols.\n\nAuthorization to Operate - The official management decision given by a senior\norganizational official to authorize operation of an information system and to\nexplicitly accept the risk to organizational operations (including mission,\nfunctions, image, or reputation), organizational assets, individuals, other\norganizations, and the Nation based on the implementation of an agreed-upon\nset of security controls.\n\n\n\n\nReview of the SEC\xe2\x80\x99s Systems C&A Process                                March 27, 2013\nReport No. 515\n                                      Page 35\n\n                          REDACTED PUBLIC VERSION\n\x0c                                                                                         Appendix III\n\n\n                             Scope and Methodology\n\nThe full version of this report includes information that the SEC considers to be\nsensitive or proprietary. To create this public version of the report, OIG redacted\n(blacked out) potentially sensitive, proprietary information from the report.\n\nNIT conducted its review in accordance with SEC/OIG Office of Audit\xe2\x80\x99s Audit\nManual and Standard Operating Procedures. 73\n\nScope. NIT conducted this review from June 2012 to December 2012. The\nscope of the review consisted of examining the OIT\xe2\x80\x99s C&A process to ensure it is\nbased on the RMF criteria identified in NIST SP 800-37, Rev. 1. The six steps\nare listed below:\n\n       \xe2\x80\xa2   Step 1\xe2\x80\x93Categorize Information System: We examined the system\n           documentation to determine if the OIT is categorizing the information\n           system in accordance with FIPS 199, describing the information system\n           (including system boundary), and registering the information system with\n           appropriate organizational program/management offices.\n\n       \xe2\x80\xa2   Step 2\xe2\x80\x93Select Security Controls: We evaluated the security controls to\n           establish whether an initial set of baseline security controls for the\n           information system includes tailoring based on the security categorization,\n           organizational assessment of risk, and local conditions.\n\n       \xe2\x80\xa2   Step 3\xe2\x80\x93Implement Security Controls: We evaluated the SSP and ST&E\n           reports to identify whether the security controls are implemented and\n           identified in the tailored control list.\n\n       \xe2\x80\xa2   Step 4\xe2\x80\x93Assess Security Controls - We assessed the SEC processes for\n           evaluating security controls to determine if the SEC is using appropriate\n           assessment procedures to determine the extent to which the controls are\n           implemented correctly, operating as intended, and producing the desired\n           outcome with respect to meeting the security requirements for the system.\n\n       \xe2\x80\xa2   Step 5\xe2\x80\x93Authorize Information System: We reviewed the C&A package for\n           each system to determine if the SEC C&A process were in accordance\n           with NIST SP 800-37, Rev. 1 guidance.\n\n\n\n\n73\n     SEC/OIG Office of Audit\xe2\x80\x99s Audit Manual and Standard Operating Procedures, (May 2012).\nReview of the SEC\xe2\x80\x99s Systems C&A Process                                                 March 27, 2013\nReport No. 515\n                                                Page 36\n\n                                 REDACTED PUBLIC VERSION\n\x0c                                                                       Appendix III\n\n   \xe2\x80\xa2   Step 6\xe2\x80\x93Monitor Security Controls: NIT reviewed the continuous monitoring\n       program to establish whether or not there is an effective monitoring\n       strategy for the systems. The continuous monitoring strategy for the\n       information systems identifies the security controls monitored, the\n       frequency of monitoring, and the control assessment approach.\n\nWe assessed the C&A process OIT and other information system owners use to\ntest its systems and to determine compliance with governing SEC policies and\nprocedures, industry best practices, and applicable government laws, directives,\nregulations, and publications such as the OMB A-130 in accordance with OMB A-\n123. We completed the review of the SEC\xe2\x80\x99s systems C&A process, performed\nthe necessary evaluation procedures, and compiled this report for the SEC OIG.\n\nMethodology. To meet the objective of reviewing OIT\xe2\x80\x99s C&A process to ensure\nit is based on the six-step RMF criteria identified in NIST SP 800-37, Rev. 1, and\nto determine if the SEC has appropriately certified and accredited its systems in\naccordance with appropriate guidelines, we interviewed key OIT personnel and\nexamined policies, procedures, and other related documentation. The key\npersonnel included system owners, OIT representatives, and OIG stakeholders.\nWe conducted follow-up interviews to gather additional evidence, and reviewed\nrelevant documentation (such as policies, procedures, and roles and\nresponsibilities) to address the evaluation objective. We reviewed policies and\nprocedures to include RFMs, and had discussions with SEC officials to discuss\nand confirm our analysis.\n\nTo meet the objective of determining if the C&A process for critical applications is\neffective in identifying and mitigating risks in a timely manner and assessing the\nadequacy of OIT\xe2\x80\x99s internal controls and compliance with internal information\nsecurity policies and procedures and industry best practices, standards, and\nguidelines, we conducted a detailed ST&E review based on a judgmental\nsampling of approximately 12 percent (24 of 200) security controls from the OIT\xe2\x80\x99s\nST&E documents for the 11 information systems in a sample universe. Also, we\nreviewed other documentation relating to the scope of the C&A review. Our\nanalysis is based on information provided from various sources, interviews with\nkey SEC OIT personnel, prior audit coverage, support documentation, and\nartifacts provided to our staff.\n\nManagement Controls. Consistent with the objectives of this review, we did not\nassess OIT\xe2\x80\x99s management control structure. We reviewed existing controls at\nthe Commission considered specific to the C&A review. To thoroughly\nunderstand OIT\xe2\x80\x99s management controls pertaining to its policies and procedures\nand methods of operation, we relied on information requested from and supplied\nby OIT staff members and information from interviews held with various OIT\npersonnel. In accordance with OMB A-123, we evaluated management\xe2\x80\x99s\n\nReview of the SEC\xe2\x80\x99s Systems C&A Process                               March 27, 2013\nReport No. 515\n                                      Page 37\n\n                          REDACTED PUBLIC VERSION\n\x0c                                                                                        Appendix III\n\n\nresponsibility for establishing and maintaining internal control to achieve the\nobjectives of effective and efficient operations and compliance with applicable\nlaws and regulations.\n\nUse of Computer-Processed Data. We did not assess the reliability of OIT\xe2\x80\x99s\ncomputers because it did not pertain to our objectives for this review. Further,\nNIT did not perform any tests on the general or application controls over OIT\xe2\x80\x99s\nautomated systems because such tests were not within the scope of our work.\nThe information retrieved from these systems as well as the requested\ndocumentation provided to us, was sufficient, reliable, and adequate to use in\nmeeting our stated objectives.\n\nJudgmental Sampling. We conducted a limited-scope review of the\nCommission\xe2\x80\x99s C&A process. We performed a review on the SEC\xe2\x80\x99s computer\nsystems that were certified and accredited from January 1, 2010 to March 31,\n2012. Our evaluation consisted of reviewing C&A packages for a judgmental\nsample of 15 percent (11 of 59) of the SEC\xe2\x80\x99s computer systems. The systems\nselected for testing in our sample universe consisted of the\n                                                                         We\nbased the judgmental sample on a limited scope review of both internal and\nexternal systems found in the SEC\xe2\x80\x99s inventory compliance workbook. The ST&E\nreview consisted of controls that were reviewed within the scope and were based\non a random selection of critical controls from the SEC\xe2\x80\x99s ST&E reports. 74 We\nalso interviewed nine of these system owners.\n\n\n\n\n74\n  The ST&E controls selected for our review were as follows: AC-2.6, AC-3.1, AC-6.1, AU-2.1, AU-5.1, AU-\n5.2, AU-6.1, CA-2.1, CA-2.3, CA-7.1, CM-2.1, CM-2e1.1, CM-2e.3.1, CM-6.1, CP-2.1, IA-2.1, IA-7.1, PL-2.1,\nPL-5.1, RA-2.1, RA-5.1, SA-8.1, SC-4.1, SC-8.1, and SI-7.1.\nReview of the SEC\xe2\x80\x99s Systems C&A Process                                                 March 27, 2013\nReport No. 515\n                                               Page 38\n\n                               REDACTED PUBLIC VERSION\n\x0c                                                                    Appendix IV\n\n\n                                     Criteria\n\nFederal Information Security Management Act of 2002, Title III, Pub. L. No.\n107-347. Requires federal agencies to develop, document, and implement an\nagency-wide program providing security for the information and information\nsystems supporting the operations and assets of the agency, including those\nprovided or managed by another agency, contractor, or other source.\n\nOffice of Management and Budget Memorandum A-123, Management\xe2\x80\x99s\nResponsibility for Internal Controls. Provides guidance to agencies for\nensuring information systems are protected throughout the lifecycle process.\n\nOffice of Management and Budget Memorandum A-130, Management of\nFederal Information Resources. Provides guidance to agencies for managing\nfederal information resources.\n\nOffice of Management and Budget Memorandum M-03-22, OMB Guidance\nfor Implementing the Privacy Provisions of the E-Government Act of 2002.\nEstablishes the requirement for agencies to conduct PIAs for information\nsystems.\n\nNIST Special Publication 800-16, Information Technology Security Training\nRequirements: A Role and Performance Based Model. Provides guidance for\nsecurity training.\n\nNIST Special Publication 800-50, Building an Information Technology\nSecurity Awareness and Training Program. Provides guidance for security\ntraining and implementation.\n\nNIST Special Publication 800-53, Revision 3, Recommended Security\nControls for Federal Information Systems and Organizations. Provides\nguidance related to the steps in the RMF addressing security control selection.\n\nNIST Special Publication 800-53A, Revision 1, Guide for Assessing the\nSecurity Controls in Federal Information Systems and Organizations:\nBuilding Effective Security Assessment Plans (companion guideline to NIST\nSP 800-53). Covers the security control assessment and continuous monitoring\nsteps in the RMF and provides guidance on the security assessment process.\n\nNIST Special Publication 800-37, Revision 1, Guide for Applying the Risk\nManagement Framework to Federal Information Systems: A Security Life\n\n\nReview of the SEC\xe2\x80\x99s Systems C&A Process                             March 27, 2013\nReport No. 515\n                                      Page 39\n\n                          REDACTED PUBLIC VERSION\n\x0c                                                                Appendix IV\n\n\nCycle Approach. Provides guidance for applying the RMF to federal information\nsystems.\n\nNIST Special Publication 800-60, Volume 1, Rev. 1, Guide for Mapping\nTypes of Information and Information Systems to Security Categories.\nAddresses the FISMA direction to develop guidelines recommending agencies\nconduct privacy impact assessments to determine if the information systems\ncontain PII.\n\n\n\n\nReview of the SEC\xe2\x80\x99s Systems C&A Process                         March 27, 2013\nReport No. 515\n                                      Page 40\n\n                          REDACTED PUBLIC VERSION\n\x0c                                                                       Appendix V\n\n\n                     List of Recommendations\n\nRecommendation 1:\n\nThe Office of Information Technology should implement a centralized repository\nfor managing certification and accreditation activities including the security test\nand evaluation process (i.e., evidence, artifacts, assessor date, and sites\nassessed).\n\nRecommendation 2:\n\nThe Office of Information Technology should determine if the Commission has\ncertification and accreditation files that are stored on its contractor\xe2\x80\x99s off-site\nservers and, in the future, require contractor to maintain all Commission files on\nservers the Commission owns and manages.\n\nRecommendation 3:\n\nThe Office of Information Technology should develop and provide security status\nreports to the designated approving authority as specified in their authorization to\noperate memorandums.\n\nRecommendation 4:\n\nThe Office of Information Technology (OIT) should review the security\ndocumentation in the certification and accreditation packages, including system\ncategorization documents, risk assessment documents, and system security\nplans to ensure that references to personally identifiable information, privacy\nimpact assessments, and privacy analysis worksheets, are consistently providing\nthe same disposition regarding Personally Identifiable Information.\n\nRecommendation 5:\n\nThe Office of Information Technology should provide a documented brief that\nmanagement officials (system owners) can use as a resource reference.\n\nRecommendation 6:\n\nThe Office of Information Technology should identify the portion of the hybrid\ncontrols that are inherited from the general support system and the portion that\nshould be evaluated as a system-specific control.\n\n\nReview of the SEC\xe2\x80\x99s Systems C&A Process                                March 27, 2013\nReport No. 515\n                                      Page 41\n\n                          REDACTED PUBLIC VERSION\n\x0c                                                                      Appendix V\n\n\nRecommendation 7:\n\nThe Office of Information Technology should review and update the\n                          security plan and include a list of common controls that\nwas inherited from the general support system in accordance with the approved\nsystem security plan template.\n\n\n\n\nReview of the SEC\xe2\x80\x99s Systems C&A Process                              March 27, 2013\nReport No. 515\n                                      Page 42\n\n                          REDACTED PUBLIC VERSION\n\x0c                                                                                               Appendix VI\n\n\n                                 Management Comments\n\n\n\n\n                                                MEMORANDUM\n                                                     March 25, 2013\n\n\n\n To:                 JB-c;queline \\Nilson, !\'sslstarp:)nspector General for Audits, Office of Inspector General\n                      1/m~c~ YJit -t?:JY"\'\n From: \t              Thomas A. Bayer\', Chief Information Officer, Office ot Information Technology\n\n Subject: \t           Management Response, Review of the SEC\'s Systems Certification and Accreditation\n                      Process, Report No. 515\n\n\n Thank you for the opportunity to comment on the recommendations in the report annotated above, as\n we work together for the integrity and efficiency of the Commission. We appreciate the Office of\n Inspector General\'s insights and are providing the official response from the Office of Information\n Technology {O!T).\n\n\n Recommendation 1: "The Office of Information Technology should implement a centralizecJ repository\n for managing certification and accreditation activities including the security test and evaluation process\n (i.e. evidence, artifacts, assessor date, and sites assessed)."\n\n Management Response: OIT concurs with the recommendation. O!T Security is working toward\n implementing a centralized repository that would maintain the de!iverables that support the\n authorization to operate.\n\n\n\n Recornmendation 2: "The Office of Information Technology should determine if the Commission has\n certification and accreditation files that are stored on its contractor\'s off-site servers and, in the future,\n require contractor to rnaintain all Commission files on servers the Commission owns and manages."\n\n Management Response: OIT concurs with the recommendation. OIT Security is aware of Commission\n files on contractors\' servers and is working on rectifying the situation.\n\n\n\n Recommendation 3: "The Office of Information Technology should develop and provide security status\n reports to the designated approving authority as specified In their authorization to operate\n men\xc2\xb7lorandums.\xc2\xbb\n\n Management Response: Concur with the recommendation. OtT will revise the language in the\n authorization to operate memorandums and report accordingly.\n\n l   Pamela   c. Dyson, Deputy Chief Information Officer,   Office of Information Technology\n\n\n\n\nReview of the SEC\'s Systems C&A Process                                                        March 27, 2013\nReport No. 515\n                                                      Page 43 \n\n\n                                     REDACTED PUBLIC VERSION \n\n\x0c                                                                                         Appendix VI\n\n\n\n\n Recommendation 4: "OIT should review the security documentation in the certification and\n accreditation packages, including system categorization documents, risk assessment documents, and\n system security plans to ensure that references to personally identifiable information, privacy impact\n assessments, and privacy analysis worksheets, are consistently providing the same disposition regarding\n PH."\n\n Management Rt!sponse: OIT concurs with the recommendation. None of the systems reviewed\nexperienced adverse security events and were secured at the appropriate Federal Information\nProcessing Standard {FlPS) Publication 199 impact level. OIT is confident the processes are in place, as it\nidentifies systems that contain information in identifiable form. orr has documented privacy analysis\nworksheets on systems to determine if they contain information in identifiable form, to determine\nwhether a privacy impact assessment is required. OIT documents the appropriate information tvpes in\nsecurity categorization documentation that is summarized in risk assessments and system security plans.\nThe inconsistencies identified by the auditors were a result of in-progress assessments and a clerical\nerror. OIT will review our documentation to correct any remaining inconsistencies.\n\n\n\nRecommendation 5: "The Office of Information Technology should provide a documented brief that\nmanagement officials (system owners) can use as a resource reference."\n\nManagement Response: OIT concurs with the recommendation. OIT orally briefs system owners or their\nrepresentatives at the beginning of every authorization to operate meeting and explains the security\nrequirements and their responsibilities in making collaborative, informed risk-based decisions. NIT did\nnot observe an authorization to operate meeting. OIT can provide a documented briefing for these\nmanagement officials, so they can have a resource to refer to.\n\n\n\nRecommendation 6: "The Office of Information Technology should identify the portion of the hybrid\ncontrols that are inherited from the general support system and the portion that should be evaluated as\na system-specific control."\n\nManagement Response: OtT concurs with the recommendation. OIT identifies controls inherited from\nthe general support system in the ST&E Results Report, however, we do agree that those controls can be\nmore clearly documented.\n\n\n\n\nReview of the SEC\'s Systems C&A Process                                                  March 27, 2013\nReport No. 515\n                                               Page 44 \n\n\n                               REDACTED PUBLIC VERSION \n\n\x0c                                                                                          Appendix VI\n\n\n\n\n                          Office of Information Technology should review and update\n                         security plan and include a list of common controls that was i\n                           accordance with the approved system security p!an template."\n\n Management Response: O!T concurs with the recommendation. OIT will be updating the system security\nplan template for internalfy hosted applications to include a list of common controls inherited from the\ngeneral support system.\n\n\n\n\nReview of the SEC\'s Systems C&A Process                                                   March 27, 2013\nReport No. 515\n                                              Page 45\n\n                              REDACTED PUBLIC VERSION\n\x0c                     Audit Requests and Ideas\n\nThe Office of Inspector General welcomes your input. If you would like to request\nan audit in the future or have an audit idea, please contact us at:\n\nU.S. Securities and Exchange Commission\nOffice of Inspector General\nAttn: Assistant Inspector General, Audits (Audit Request/Idea)\n100 F Street, N.E.\nWashington D.C. 20549-2736\n\nTel. #: 202-551-6061\nFax #: 202-772-9265\nEmail: oig@sec.gov\n\n\n\n\n      Hotline\n      To report fraud, waste, abuse, and mismanagement at SEC,\n      contact the Office of Inspector General at:\n\n      Phone: 877.442.0854\n\n      Web-Based Hotline Complaint Form:\n      www.reportlineweb.com/sec_oig\n\x0c'